Configuring PKI in a Windows Environment (2024)

Table of Contents
Environment Situation Resolution Configuring PKI in a Windows Environment – An Example A. Configure the PKI Services Manager B. Configure the server (or clients) to use the PKI Services Manager validation services C. Configure the clients (or server) to authenticate using certificates Additional Information Legacy KB ID FAQs
  • Document ID:7021873
  • Creation Date:04-Mar-2010
  • Modified Date:01-Apr-2018
    • Micro Focus Products:

      Reflection for Secure IT Client and Server for UNIX

      Reflection for Secure IT Client for Windows

      Reflection for Secure IT Gateway

      Reflection for Secure IT Server for Windows

      Reflection PKI Services Manager

Environment

Reflection PKI Services Manager version 1.2 or higher
Reflection for Secure IT Windows Server version 7.2 or higher
Reflection for Secure IT Web Edition version 8.1 or higher

Situation

The example in this technical note provides basic steps to configure PKI in a Windows environment. Use this information as a starting place to understand how to configure PKI for your environment.

Resolution

Configuring PKI in a Windows Environment – An Example

Configuring PKI is a multi-step process:

A. Configure the PKI Services Manager
B. Configure the server (or clients) to use the PKI Services Manager validation services
C. Configure the clients (or server) to authenticate using certificates

Note: The example in this technical note provides basic steps to configure PKI on Windows Server 2008. Use this information as a starting place to understand how to configure PKI for your environment.

A. Configure the PKI Services Manager

The following steps use a Windows PKI Services Manager and a Local Store for the CA Certificate Trust Anchor and CRL checking. When configuring the PKI Services Manager, you must be logged in as an administrator.

  1. Launch the Reflection PKI Services Manager console (Start > All Programs > Attachmate Reflection > PKI Services Manager).

Note: On Windows, starting the console or the service for the first time initializes PKI Services Manager. This creates the required data folders and default settings files.

  1. On the Server menu, click Start to start the PKI Services Manager server. (The PKI Services Manager service also starts automatically when you restart Windows.)
  2. Download a CA certificate (*.cer) to the server running the PKI Services Manager and copy that certificate to the Reflection PKI local store, which is typically located in the following location:

C:\ProgramData\Attachmate\ReflectionPKI\local-store

  1. Download the CRL file(s) (*.crl) to the same local store folder. URL paths for the CRL Distribution Points are normally listed on the Details tab of the Certificate:


Figure 1 - Identifying URL Paths for the CRL Distribution Points

  1. In the PKI Services Manager Console, click the Local Store pane. The contents of the default local store are listed by default. You should see the certificates and crls you placed in this store.

View Full Size
Figure 2 - Sample Path to Local Store

  1. Click the Trusted Chain pane. Under Trust Anchors, click Add. Leave "Local store certificate" selected and click Browse. Select the CA certificate you want to use as the Trust Anchor. Click OK twice. At this point, settings can be saved since a Trust Anchor has been established.
  2. Click the Revocation pane and ensure that the Local Store is selected since the Certificate Revocation List (CRL file) resides here (see step 3 above).
  3. Click the Identity Mapper pane, which is used to define rules that map certificates to identities. There are separate procedures for mapping user certificates and for mapping server certificates.

Mapping User Certificates:

    1. Click Add. From the first drop-down list, select "User Certificate (identifies a user to a server).

Select the “Apply this rule only to this server” check box and enter the server name, for example, winserv1. (Do not use the server’s DNS host name).

Note: This step is required if you are using Windows local accounts. You may skip this step if you are using Windows domain accounts.

    1. Specify one or more identities for the mapped certificate using a comma separated list in the field provided, for example:

<domain name1>\<username1>,<domain name1>\<username2>

    1. Specify how the contents of the certificate affect authentication:

- Enable "Allow authentication if the following condition is met."

- Select "Subject Common Name" from the first drop-down list.

- Select "Contains" from the second drop-down list.

- In the third field, enter a value found for Subject when viewing details of the client certificate.

- Click OK. The rule will display as follows:

User-address=winserv1

{<domain name1>\<username1>,<domain name1>\<username2>}Subject Contains <Value>.

Note: The status bar will display the rule as you build it.

View Full Size
Figure 3 - Sample Mapped User Certificate

Mapping Server Certificates:

    1. Click Add. Select “Host Certificate (identifies a server to a user)”.
    2. Specify one or more identities for the mapped certificate using a comma separated list in the field provided, for example:

ServerIPAddress, ServerName

    1. Specify how the contents of the certificate affect authentication:

- Enable "Allow authentication if the following condition is met."

- Select "Subject Common Name" from the first drop-down list.

- Select "Contains" from the second drop-down list.

- In the third field, enter a value found for Subject when viewing details of the client certificate.

- Click OK. The rule will display as follows:

host

{<ServerIPAddress>, <ServerName>} Subject.CN Equals <Value>.

View Full Size
Figure 4 - Sample Mapped Server Certificate

  1. Click File > Save. This updates the configuration files.
  2. Click Server > Reload. This ensures that the server is using the current settings.

B. Configure the server (or clients) to use the PKI Services Manager validation services

To use PKI Services Manager for validation, you must configure the application to connect to your configured PKI Services Manager. The following steps use the Reflection for Secure IT Server for Windows Server as an example.

  1. Launch the Reflection for Secure IT console (Start > All Programs > Attachmate Reflection > Reflection SSH Server Configuration).
  2. Click the Configuration tab and go to Authentication > Public Key > Certificates.
  3. The server is configured by default to connect to a PKI Services manager on the local host. Click Edit. For PKI server, specify your PKI Services Manager host name or IP address.
  4. Click Retrieve public key. A dialog box displays with the PKI Services Manager key fingerprint. (You can confirm this fingerprint from the PKI Services Manager console by clicking Utility > Public Key.) Click Yes to accept this key, then save the key to the default location.
  5. Click OK to close the PKI Configuration dialog box.

View Full Size
Figure 5 - Sample PKI Server Configuration

  1. Click the Save button or click File > Save Settings to save the PKI settings.

For information about configuring Reflection for Secure IT Web Edition, see the Administrator's Guide, which is available from https://support.microfocus.com/manuals/rsit-web-edition.html. In the User Manager Administration chapter, find the section titled "Configure Certificate Authentication."

For information about configuring the Reflection for Secure IT for UNIX, see the Users Guide, which is available from https://support.microfocus.com/manuals/rsit_unix.html. Find the sections titled "Configure Certificate Authentication for Users" and "Configure Server Certificate Authentication."

C. Configure the clients (or server) to authenticate using certificates

For instructions about configuring the Reflection for Secure IT clients and servers to authenticate using certificates, see the appropriate product documentation:

For Reflection for Secure IT Client for Windows documentation, see https://support.microfocus.com/manuals/rsit_win_client.html.

For Reflection for Secure IT Server for Windows documentation, see https://support.microfocus.com/manuals/rsit_win_server.html.

For Reflection for Secure IT Client or Server for UNIX documentation, see https://support.microfocus.com/manuals/rsit_unix.html.

Additional Information

Reflection PKI Services Manager Technical Resources:

https://support.microfocus.com/product/?prod=PKID

Reflection for Secure IT Server for Windows Technical Resources:

https://support.microfocus.com/product/?prod=RSS-WN

Reflection for Secure IT Client for Windows Technical Resources:

https://support.microfocus.com/product/?prod=RSC-WN

Reflection for Secure IT Client and Server for UNIX Technical Resources:

https://support.microfocus.com/product/?prod=RSITCSUX

Reflection PKI Services Manager Supported Platforms: KB7021871

Legacy KB ID

This document was originally published as Attachmate Technical Note 2490.

© Micro Focus.Please see Terms of Use applicable to this content.
Configuring PKI in a Windows Environment (2024)

FAQs

What is PKI in Windows? ›

A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption.

Read On
Where are PKI certificates stored in Windows 10? ›

Certificates stored on the Windows 10 computer are located in the local machine certificate store. Windows 10 offers Certificate Manager as a certificate management tool for both computer and user certificates.

Discover More Details
What is a PKI environment? ›

The Public key infrastructure (PKI) is the set of hardware, software, policies, processes, and procedures required to create, manage, distribute, use, store, and revoke digital certificates and public-keys.

Continue Reading
Is PKI outdated? ›

Today, it is the go-to method for many to verify the identity of a website or an email sender. However, PKI has a number of weaknesses that make it unsuitable for use today. It may is no longer considered to be an effective security measure.

See Details
How do I import PKI certificates into Windows 10? ›

In the left pane of the console, double-click Certificates (Local Computer). Right-click Personal, point to All Tasks, and then select Import. On the Welcome to the Certificate Import Wizard page, select Next. On the File to Import page, select Browse, locate your certificate file, and then select Next.

Find Out More
How to check trusted certificates in Windows? ›

Click Start and then click Start Search. To start the Certificates snap-in, type Certmgr. msc and press the Enter key. In the left pane of the Certificates snap-in, expand the PrivateCertStore certificate store folder and double-click Certificates.

Tell Me More
What are the six components of PKI? ›

PKI consists of various components which include: Certification Authority, Digital Certificates, Registration Authority, Validation Authority, Public Key, Private KePublic key cryptography, and Secure Storage.

Show Me More
What is the difference between a certificate and a PKI? ›

A digital certificate works like a passport or driver's license by proving your identity and providing certain allowances. The purpose of a PKI is to facilitate the secure electronic transfer of information for a range of network activities such as e-commerce, internet banking, and confidential email.

Explore More
What is PKI for dummies? ›

PKI enables strong authentication by using digital certificates and key pairs. This ensures that only authorised entities can access sensitive systems and data. When, for example, a user tries to authenticate their identity to a server, the server generates random data and sends it to the user.

Continue Reading
What does the PKI do? ›

A Public Key Infrastructure Definitive Guide. Public key infrastructure (PKI) governs the issuance of digital certificates to protect sensitive data, provide unique digital identities for users, devices and applications and secure end-to-end communications.

Show Me More

What is an example of a PKI? ›

One of the most common uses of PKI is the TLS/SSL (transport layer security/secure socket layer), which secures encrypted HTTP (hypertext transfer protocol) communications. Website owners will obtain a digital certificate from a trusted CA.

Read The Full Story
Is PKI the same as SSL? ›

1 PKI vs SSL certificates

SSL stands for secure sockets layer, which is a protocol that uses PKI to establish encrypted and authenticated connections between a client and a server. An SSL certificate is a type of digital certificate that verifies the identity and validity of a website or application.

See Details
How do I remove PKI certificates from my computer? ›

Press Windows Key + R Key together, type certmgr. msc, and hit enter. You will get a new window with the list of Certificates installed on your computer. Locate the certificate you want to delete and then click on the Action button then, click on Delete.

Get More Info Here
Top Articles
About bitcoin.org
Should You Sell Your Craft Online?
Amy Davis No Wedding Ring
Ky Cna Validation
Hexanaut.io: Trucs et Astuces pour Notre Nouveau Jeu IO
Tbg95Co
What do they mean as Pathway on the Record of Completion?
Kian And Jc Seatgeek Promo Code
Binghamton Legacy Obits
North Jersey Creiglist
Free Puppies In Arkansas Craigslist
Shane Gillis Girlfriend: All About His Dating History, Career & More |Pudelek
Red Barn Vet Iola Ks
Craigslist Kansas City Auto Parts
Accuweather Radar Michigan
Best Airbnbs Near Me
Gatlinburg Trolley Schedule 2022
Gotcha Paper 2022 Danville Va
Wild West 2013-12 - PDF Free Download
Tighe Hamilton Hudson Ma Obituary
Macbeth Summary Activity: 5 Act Structure
Reiseland Brandenburg: Ihr Portal für Urlaub und Ausflüge
Cranes Lane, Ormskirk L40 3 bed end of terrace house to rent - £1,495 pcm (£345 pw)
Craigs List Corpus Christi
Craigslist Pets Gainesville Fl
craigslist sitemap for Ludington ± 9 mi
Research Guides: United States: City and Telephone Directories: U.S. Telephone Directories
Ernesto Deleon Fox
International Cxt For Sale Craigslist
Blak Stellenanzeigen
Infinite Campus Farmingdale
Sinfuldeeds Legit Married Italian
Noaa Weather Seward
Citibank Branches In Georgia
Pinterest Shadowban Checker
Jayripk Death Video
Devotion Showtimes Near O'neil Cinemas - Brickyard Square 12
Mamasan Massage
Osrs Bowfa Max Hit
2013 Chevy Cruze Cooling System Diagram
Master of Science in Data Science | Merrimack Online Programs
Ella Phipps Haughton
Go Karts For Sale Near Me Used
Infinityagents Login
Ewing Irrigation Prd
Wys Meaning Snapchat
Millie Bobby Brown Tied Up
My Time At Portia Valve
Bertelsmann-printing-group in Berlin auf Marktplatz-Mittelstand.de
MERRY AND MARRIED MERRY & MARRIED MERRY + MARRIED MERRY E MARRIED MERRY ; MARRIED MERRY, MARRIED MERRY - MARRIED Trademark Application of Nexus Integrity Group - Serial Number 98485054 :: Justia Trademarks
Violent Night Showtimes Near The Grand 16 - Lafayette
Roll Out Gutter Extensions Lowe's
Latest Posts
| 5 Ways to Financially Prepare for A Natural Disaster
Where in the World is Salesforce.com? And How to Make it Faster. - Apcela
Article information

Author: Clemencia Bogisich Ret

Last Updated:

Views: 5450

Rating: 5 / 5 (80 voted)

Reviews: 87% of readers found this page helpful

Author information

Name: Clemencia Bogisich Ret

Birthday: 2001-07-17

Address: Suite 794 53887 Geri Spring, West Cristentown, KY 54855

Phone: +5934435460663

Job: Central Hospitality Director

Hobby: Yoga, Electronics, Rafting, Lockpicking, Inline skating, Puzzles, scrapbook

Introduction: My name is Clemencia Bogisich Ret, I am a super, outstanding, graceful, friendly, vast, comfortable, agreeable person who loves writing and wants to share my knowledge and understanding with you.