6.5.2 Enabling and Disabling Use of the Windows Certificate Store

Reflection Secure Shell and SSL/TLS sessions support the use of digital certificates An integral part of a PKI (Public Key Infrastructure). Digital certificates (also called X.509 certificates) are issued by a certificate authority (CA), which ensures the validity of the information in the certificate. Each certificate contains identifying information about the certificate owner, a copy of the certificate owner's public key (used for encrypting and decrypting messages and digital signatures), and a digital signature (generated by the CA based on the certificate contents). The digital signature is used by a recipient to verify that the certificate has not been tampered with and can be trusted. for both host and user authentication. Reflection applications can be configured to authenticate using only those certificates located in Reflection store, or using both the Windows and the Reflection store.

Host authentication

Enabling use of the Windows certificate store means that you may not need to import the certificates used for host authentication. If your host certificates were acquired from a well-known Certification Authority A server, in a trusted organization, which issues digital certificates. The CA manages the issuance of new certificates and revokes certificates that are no longer valid for authentication. A CA may also delegate certificate issuance authority to one or more intermediate CAs creating a chain of trust. The highest level CA certificate is referred to as the trusted root. (CA), such as VeriSign or Thawte, a certificate identifying the issuer as a trusted CA should already be included in the Trusted Root Certification Authorities list on your system. When use of the system store is enabled, Reflection clients look for certificates in both the Reflection and the system store.

Disabling use of the Windows certificate store enables you to have greater control over which certificates are used for authentication. Certificates can be added to the Windows store in a variety of ways, and you may not want to allow use of all of these certificates for authenticating Reflection sessions. When use of the Windows store is disabled, only those certificates you have imported into the Reflection store are used for host authentication.

To enable (or disable) host authentication using certificates in the Windows store:

  1. Open the Reflection Certificate Manager.

  2. Click the Trusted Certificate Authorities tab.

  3. Select (or clear) Use System Certificate Store for SSH connections and/or Use System Certificate Store for SSL/TLS connections.

User authentication

Reflection uses personal certificates in the Windows store and the Reflection store in the same way. Available personal certificates include those in the Windows personal store, the Reflection personal store, and certificates on configured hardware tokens (for example smart cards).

  • If you have configured a Reflection Secure Shell session, you must specify which certificates to use for user authentication from the User Keys tab in the Secure Shell settings dialog box.

  • If you have configured a Reflection SSL/TLS session, all certificates located in either store are automatically available for user authentication.