Generate/VShellIcon.gif  Use X.509 Certificates


Installing CA Certificates in the Trusted Roots Store

Users attempting to logon to VShell using X.509 certificates for authentication will not be successful if the certificate for the certificate authority (CA) that issued the user's certificate has not been installed in the Trusted Root Certification Authorities store on the machine where VShell is running. If this authentication failure occurs, VShell's will log the following error:

The public key supplied for user johndoe is invalid: A certificate chain processed correctly, but terminated in a root certificate which is not trusted by the trust provider.

Installing the CA certificate in the Trusted Root Certification Authorities store will solve this problem. It is also important that the certificate be installed in the Local Computer store as indicated in the following steps.

Note: The following steps assume that the CA certificate has been downloaded as a *.cer file and that you are running under Window 2000. You must also be logged on as Administrator to complete the following steps.

1.   Right-click the certificate file and select Open from the resulting menu. This will display the Properties dialog for the file.

2.   On the Properties dialog, click on the Install Certificate button to start the Certificate Import wizard.

3.   In the wizard, click on the Next button and then choose the Place all certificates in the following store option.

4.   Click on the Browse button to open the Select Certificate Store dialog.

5.   Check the Show physical stores check box to allow you to expand the listed stores.

6.   Expand the Trusted Root Certification Authorities store and select the Local Computer store below it.

7.   Click on the OK button to save your selection

8.   Click on the Next and Finish buttons to complete installation of the certificate.

You can now verify that the certificate has been installed in the proper store by using Internet Explorer.

1.   Open the Tools menu and select Internet Options... to open the Internet Options dialog.

2.   Select the Content tab and click on the Certificates button.

3.   The Certificates dialog should list the CA certificate under the Trusted Root Certification Authorities tab.

Note: It is important that you install the certificate in the Local Computer store as indicated above. Choosing the Registry store will install the certificate in the root store for the current user (i.e., Administrator), however the certificate may not be present in the Trusted Root Certification Authorities store that VShell opens while running as the System account.

Installing CA Certificates for Creation of Map Files

In order to create map files that associate certificates with specific Windows user accounts in VShell, the certificate for the CA that issued the user's certificate must be installed in the Intermediate Certification Authorities store.

Note: If you do not use map files to associate user certificates with Windows user accounts in VShell, you do not need to install the CA certificate in the Intermediate Certification Authorities store. Users who logon using X.509 certificate authentication can successfully authenticate if the VShell administrator places the user's Base64-encoded *.cer file in user's folder in VShell's PublicKey folder as is done with the RSA and DSA *.pub files. See the following section "File-Based X.509 Certificates" for more information.

To use a map file, install the CA certificate in the Intermediate Certification Authorities store following the steps listed above for installing in the Trusted Root Certification Authorities store, only this time, choose the Local Computer store under the Intermediate Certification Authorities store.

Adding the CA certificate to the Intermediate Certification Authorities store will allow that CA to appear on the list of CAs that a map file can be associated with in VShell's Authentication / Certificate Maps category.

See Certificates Maps  for information on adding entries to and specifying the location of certificate map files.

File-Based X.509 Certificates

VShell also supports the use of file-based X.509 public-key authentication certificates. To enable the VShell server to authenticate using a file-based X.509 certificate, follow these steps:

1.   Acquire a X.509 certificate from each user that you want to give access to.

2.   Create new folders for each user under the PublicKey folder under your VShell folder. For example:

\Program Files\VShell\PublicKey\<Username>

3.   Save the user's certificate to the folder corresponding with their username.

Using Entrust with VShell

VShell for Windows is capable of interoperating with Entrust's security management PKI via X.509. The only specific requirement necessary in the Entrust environment is that Microsoft Compatibility (MsCompatibility) needs to be enabled for the Entrust security manager.

Entrust certificates used with VShell may be loaded from the Windows certificate store, or stored in files. Any certificate format supported for authentication by Windows' CAPI will work with VShell.

The Entrust client applications need not be installed in order for VShell to work with Entrust certificates.