Technical Notes

Configuring Reflection for Secure IT to Use a Certificate in the Microsoft Personal Certificate Store
Technical Note 2379
Last Reviewed 09-Nov-2012
Applies To
Reflection for Secure IT Windows Server version 7.0 or higher
Summary

By default, Reflection for Secure IT Windows Server uses public key server authentication; however, the Reflection server can also be configured to use a certification file on the server or a certificate stored in the local computer's personal certificate store. This technical note explains how to import a CA certificate into the local computer's personal certificate store, with export private key capabilities enabled, so it can be accessed by Reflection for Secure IT.

Note the following:

• The information in this technical note is only applicable if, in your environment, you do not want to store the certificate in the Reflection Certificate Store.
• You must have Administrative rights to perform these steps.
• You must have a CA certificate in *.pfx or *.p12 format available to import.
• Reflection for Secure IT requires that the private key and certificate selected for host authentication be present (or imported to) the Local Computer | Personal store and must have the export private key capability enabled.
• For DoD PKI (Public Key Infrastructure) compliance, Reflection must be configured to use the SSH server's certificate store, not the Microsoft certificate store.

For more detailed information about server authentication options, see the Server Authentication section of the Reflection for Secure IT Windows Server User Guide, which is available from http://support.attachmate.com/manuals/rsit_win_server.html.

Import a Certificate to the Microsoft Certificate Store

Follow the steps below for the appropriate server:

Windows Server 2008

Follow these steps to import a certificate to the Windows Server 2008 Microsoft Certificate Store as a Trusted Root Certification Authority.

1. Click Start > Run.
2. In the Open field, enter mmc, and then click OK.
3. In the Microsoft Management Console (Console1) window, click File > Add/Remove Snap-In.
4. In the Add/Remove Snap-in dialog box, Under Available snap-ins, select Certificates and then click Add.

5. Select "Computer account," and then click Next.
6. Select "Local computer: (the computer this console is running on)," and then click Finish.
7. Click OK.
8. In the Console1 window, under Console Root, expand Certificates (Local Computer).

9. Right-click the Personal folder, and click All Tasks > Import.
10. In the Certificate Import Wizard, click Next.
11. Click Browse, select your *.pfx or *.p12 certificate, in the Files of type drop-down menu, select Personal Information Exchange (*.pfx,*.p12), and then click Open.
12. Click Next.
13. In the Password window, enter the password if the private key is protected by one. Make sure that the check box "Mark this key as exportable. This will allow you to back up or transport your keys at a later time.” is selected.

14. Click Next (accept the default certificate store), and then click Finish. When notified that the import was successful, click OK.

You should now see the certificate in the Console Root > Certificates (Local Computer) > Personal > Certificates folder:

Windows Server 2003

Follow these steps to import a certificate to the Windows Server 2003 Microsoft Certificate Store as a Trusted Root Certification Authority.

1. Click Start > Run.
2. In the Open field, enter mmc, and then click OK.
3. In the Microsoft Management Console (Console1) window, click File > Add/Remove Snap-In.
4. In the Add/Remove Snap-in dialog box, click Add.
5. In the Snap-in column, select Certificates, and then click Add.

6. Select "Computer account," and then click Next.
7. Select "Local computer: (the computer this console is running on)," and then click Finish.
8. Click Close, and then click OK.
9. In the Console1 window, under Console Root, expand Certificates (Local Computer).

10. Right-click the Personal folder, and click All Tasks > Import.
11. In the Certificate Import Wizard, click Next.
12. Click Browse, select your *.pfx or *.p12 certificate, in the Files of type drop-down menu, select Personal Information Exchange (*.pfx,*.p12), and then click Open.
13. Click Next.
14. In the Password window, enter the password if the private key is protected by one.
15. Select the "Mark this key as exportable. This will allow you to back up or transport your keys at a later time" check box and then click Next.

16. Click Next (accept the default certificate store), and then click Finish. When notified that the import was successful, click OK.

You should now see the certificate in the Console Root > Certificates (Local Computer) > Personal folder:

Configure the Server's Host Certificate Identity

Once the certificate is available in the local computer's personal certificates store, follow these steps to configure Reflection for Secure IT to use this local certificate.

Note: If you use host certificates in your environment, we recommend that you upgrade to version 7.1 or higher.

Version 7.x or Higher

1. Open Reflection SSH Server Configuration. (Click Start > Programs > Attachmate Reflection.)
2. On the Identity tab, select the "Use the local computer certificate from the Windows certificate store" radio button.

3. Click File > Save Settings.
4. Stop and restart the Reflection for Secure IT Server.

Versions 6.1 SP2 - 6.1 SP4

1. Open Reflection SSH Server Configuration. (Click Start > Programs > WRQ Reflection.)
2. Under Server Settings, select Identity.
3. On the Identity panel, in the Host certificate section, click the Import button next to "Import System Certificate".

4. In the Import System Certificate dialog box, select the certificate and then click OK.
5. Click Apply.
6. Stop and restart the Reflection for Secure IT Server.

Related Technical Notes

1999	Reflection for Secure IT Technical Notes
2430	Certificate Authentication and Reflection for Secure IT Windows Server 7.1 or Higher