Attachmate Worldwide  |   Contact Us  |   NetIQ.com
Home » Support » Solution Library

Technical Notes

Configuring Reflection for Secure IT to Use a Certificate in the Microsoft Personal Certificate Store
Technical Note 2379
Last Reviewed 13-Nov-2008
Applies To
Reflection for Secure IT Windows Server version 6.1 Service Pack 2 or higher
Summary

By default, Reflection for Secure IT Windows Server uses public key server authentication; however, the Reflection server can also be configured to use a certification authority (CA) certificate on the server or a CA certificate stored in the local computer's personal certificate store. This technical note explains how to import a CA certificate into the local computer's personal certificate store, with export private key capabilities enabled, so it can be accessed by Reflection for Secure IT.

Note the following:

  • Only CA certificates residing in the Local Computer > Trusted Root Certification Authorities store are available for selection to use as trust anchors for user certificate validation. By default, Windows automatically makes any certificates residing in this store available to all users of the computer.
  • You must have Administrative rights to perform these steps.
  • You must have a CA certificate in *.pfx or *.p12 format available to import.
  • For DoD PKI (Public Key Infrastructure) compliance, Reflection must be configured to use the SSH server's certificate store, not the Microsoft certificate store.

For more detailed information about server authentication options, see the Server Authentication section of the Reflection for Secure IT Windows Server User Guide: http://docs.attachmate.com/reflection/rsit-ssh/7.0SP1/winserver/en/help/.

Import a Certificate to the Microsoft Certificate Store

Follow these steps to import a certificate to the Microsoft Certificate Store as a Trusted Root Certification Authority.

  1. Click Start > Run.
  2. In the Open field, enter mmc, and then click OK.
  3. In the Microsoft Management Console (Console1) window, click File > Add/Remove Snap-In.
  4. In the Add/Remove Snap-in dialog box, click Add.
  5. In the Snap-in column, select Certificates, and then click Add.
2379_0.gif
  1. Select "Computer account," and then click Next.
  2. Select "Local computer: (the computer this console is running on)," and then click Finish.
  3. Click Close, and then click OK.
  4. In the Console1 window, under Console Root, expand Certificates (Local Computer).
View Full Size
2379_1.gif
  1. Right-click the Personal folder, and click All Tasks > Import.
  2. In the Certificate Import Wizard, click Next.
  3. Click Browse, select the certificate, in the Files of type drop-down menu, select Personal Information Exchange (*.pfx,*.p12), and then click Open.
  4. Click Next.
  5. Leave the Password field blank.
  6. Select the "Mark this key as exportable. This will allow you to back up or transport your keys at a later time" check box and then click Next.
View Full Size
2379_2.gif
  1. Click Next (accept the default certificate store), and then click Finish. When notified that the import was successful, click OK.

You should now see the certificate in the Console Root > Certificates (Local Computer) > Personal folder:

View Full Size
2379_3.gif

Configure the Server's Host Certificate Identity

Once the certificate is available in the local computer's personal certificates store, follow these steps to configure Reflection for Secure IT to use this local certificate.

Version 7.x

  1. Open Reflection SSH Server Configuration. (Click Start > Programs > Attachmate Reflection.)
  2. On the Identity tab, select the "Use the local computer certificate from the Windows certificate store" radio button.

Note: If you have not yet followed the steps to Import a Certificate to the Microsoft Certificate Store, the following error is displayed when you select the radio button:

"The computer certificate in the system certificate store doesn't contain an exportable private key. Please add a new certificate with an exportable private key to the system certificate store."

  1. Click File > Save Settings.
  2. Stop and restart the Reflection for Secure IT Server.
2379_4.gif

Versions 6.1 SP2 - 6.1 SP4

  1. Open Reflection SSH Server Configuration. (Click Start > Programs > WRQ Reflection.)
  2. Under Server Settings, select Identity.
  3. On the Identity panel, in the Host certificate section, click the Import button next to "Import System Certificate".
View Full Size
2379_5.gif
  1. In the Import System Certificate dialog box, select the certificate and then click OK.
  2. Click Apply.
  3. Stop and restart the Reflection for Secure IT Server.
Related Technical Notes
1873 Using SSH-Certtool to Generate Certificate Requests and Configuring Certificate Authentication for Reflection for Secure IT Windows Server
1999 Reflection for Secure IT Technical Notes

Did this technical note answer your question?

Yes    No    Somewhat     Not sure yet

Additional comments about this tech note:

Need further help? For technical support, please contact Support.