Skip to content

Authenticate using Smart Cards or other PKCS11 compliant Devices

Use this procedure to configure Reflection X Secure Shell sessions to authenticate using PKCS#11-compliant hardware devices such as smart cards or USB tokens.


PKCS (Public Key Cryptography Standards) is a set of standards devised and published by RSA laboratories that enable compatibility among public key cryptography implementations. Different PKCS standards identify specifications for particular cryptographic uses. Reflection X uses the following PKCS standards:

  • PKCS#5 is used to provide password-based encryption for private keys stored in the Reflection X database.

  • PKCS#11 provides support for authentication using hardware devices, such as smart cards or USB tokens.

  • PKCS#12 is used for storage and transportation of certificates and associated private keys. Files in this format typically use a *.pfx or *.p12 extension.

The Secure Shell server administrator must configure the server to accept and validate user certificates. The procedure depends on the server. Refer to the Secure Shell server documentation for details.

Before you begin

Install the software supplied by your card or token provider. You will need to know the name and location of the library file (*.dll or *.so) used by that provider to provide access to your hardware device. On Windows, this is typically installed to the Windows system folder. You may need to contact the device manufacturer to determine the correct file.

To configure authentication using a smart card or other PKCS#11-compliant device

  1. Launch X Manager or X Manager for Domains.

  2. From the Tools menu, select Secure Shell User Keys.

  3. Next to User Key Sources click the plus sign (+) and select Add PKCS#11 Provider.

    An item called "PKCS#11 Provider" is added to your list of certificate stores. You can edit this provider name.

  4. For Library, specify the full path to the library file (*.dll or *.so) used by your device software.

    Note: Use 8.3 paths to specify the library path. This requirement provides a workaround for a known issue in Java.


    • In order to view the certificates or authenticate with your device, you will need to enter information (such as a PIN) required by the provider.

    • The first time you make a connection, you see two entries to authenticate with your device. The first entry is for authentication using the certificate in your device. The second entry is for standard public key authentication using the public key associated with that certificate. Authentication using the public key entry requires that your key be added to the server's list of authorized keys.

More information

Back to top