Skip to content

Managing Certificates

You can use the Management and Security Server (MSS) to effectively manage the certificates used by your secure Reflection Desktop sessions.

Certificates and Certificate Stores

Certificates are used in the authentication process. When a user connects, the host presents its certificate to the client, and the client checks the certificate against its store of trusted certificates to authenticate the host. If the certificate or its trust anchor is trusted, the transaction proceeds. If not, the client may either reject the transaction or present the user with a warning.


Digital certificates (also called X.509 certificates) are issued by a certificate authority (CA), which ensures the validity of the information in the certificate. Each certificate contains identifying information about the certificate owner, a copy of the certificate owner's public key (used for encrypting and decrypting messages and digital signatures), and a digital signature (generated by the CA based on the certificate contents). The digital signature is used by a recipient to verify that the certificate has not been tampered with and can be trusted.

Problems with Securely Deploying Certificates to Users

When authentication relies on a local certificate store, the certificate required to validate a host's certificate must be deployed to users and added to the system's certificate store. Securely deploying these certificates to users presents challenges, especially in large organizations where new users are frequently added:

  • Required certificates must be deployed to each user and added to the user's local certificate store.

  • Certificates must be replaced when they expire or are revoked by the certificate authority (CA) that issued them.

  • If new certificates are not deployed when certificates expire or are revoked, users can be denied access to host applications.

MSS Allows You to use and Replace Certificates Without Deploying Them to Users

MSS allows you to add new certificates and replace expired or revoked certificates without needing to deploy certificates. When using MSS to manage certificates, you don't need to deploy certificates to users because MSS contains the required certificates in a managed certificate store that resides on the MSS server. When a Reflection session is configured to enable certificate management, the client uses this managed store to authenticate the host instead of using the system's certificate store.

You can use MSS to manage certificates for IBM3270 and IBM5250 sessions that are centrally managed by MSS and configured to connect using SSL/TLS.

Setting up Sessions to use Managed Certificates

These instructions show how to add the required certificate to the MSS managed certificate store, configure Reflection Desktop to enable certificate management, and create a managed secure session.

Add a Certificate to the MSS Store

  1. Identify and obtain the trust anchor certificate required to authenticate the host.

  2. Add the trust anchor certificate to the MSS certificate store for terminal emulator clients. Follow the instructions in the Certificate Store - Terminal Emulator Clients section under the Trusted Certificates topic in the Management and Security Administrator Guide. You can find the latest version of this guide at

Configure Reflection Desktop for Certificate Management

This global setting establishes a connection between the client and the MSS Administrative Server, and specifies that all sessions managed by MSS use the managed certificate store on MSS instead of a local certificate store.

  1. On the File menu, open the Reflection Workspace Settings.

  2. Click Configure Centralized Management.

  3. Select Enable Centralized Management.

  4. Enter the Server URL for your MSS Administrative Server and click OK.

  5. Select Enable certificate management.


    This setting specifies that sessions managed by MSS use the managed certificate store on MSS instead of a local certificate store.

Create a Managed TLS Session

  1. Follow the instructions to Add and launch a session for Reflection/InfoConnect Desktop in the Management and Security Administrator Guide. You can find the latest version of this guide at

  2. After Reflection Desktop opens on your workstation, enter the host address and port, and then select Configure additional settings.

  3. Click Security Settings.

  4. In the Security Properties dialog box, select Use SSL/TLS Security.