Skip to content

Configure User Certificate Authentication

User certificate authentication (a variation of public key authentication) is an optional feature of the Secure Shell protocol. Both X Manager and the Secure Shell server need to be configured to support this.

You can configure Reflection X to authenticate using any of the following:

  • Certificates you have imported into the Reflection X database.

  • Personal certificates in the Windows Certificate Store.

  • Certificates stored on PKCS#11-compliant hardware devices such as smart cards or USB tokens.


PKCS (Public Key Cryptography Standards) is a set of standards devised and published by RSA laboratories that enable compatibility among public key cryptography implementations. Different PKCS standards identify specifications for particular cryptographic uses. Reflection X uses the following PKCS standards:

  • PKCS#5 is used to provide password-based encryption for private keys stored in the Reflection X database.

  • PKCS#11 provides support for authentication using hardware devices, such as smart cards or USB tokens.

  • PKCS#12 is used for storage and transportation of certificates and associated private keys. Files in this format typically use a *.pfx or *.p12 extension.

The procedures in this section describe how to configure Reflection X for each of these certificate stores. After you complete the procedure, you can connect to hosts that have been configured to support certificate authentication.


  • To help ensure security, you should always specify a passphrase when you use certificates for user authentication. You will need to enter the passphrase each time you connect to the host.

  • If you have multiple certificates configured, the first time you connect to a host you may be prompted to select a certificate from a list of available certificates. After your first successful connection, Reflection X will automatically attempt subsequent connections using the same certificate.

More information

Back to top