Generate/VShellIcon.gif  Certificate Options


The Certificate Maps category allows you to map user certificates to Windows accounts.

allows you to configure whether and how VShell performs certificate revocation checking.

Certificate maps group

This list displays the user certificates mapped to Windows accounts. You are able to select a certificate authority (CA) and associate a user certificate map file to it.

Issued To/Serial Number List

This list displays the CAs that VShell has been configured to recognize and their serial numbers. Each CA has a user certificate map file associated with it.

Filename

This is the user certificate map file associated with the CA selected in the list above. Map files contain the mapping of the CA to specific user certificates. It does this by specifying Windows usernames and certificate thumbprints.

Map File Syntax:

Map files are in plain text format and end with a .txt extension. The following is an example of user certificate map file syntax. This example shows the mapping to the Windows accounts of users chrissmith, billjones, and lynngreen. The thumbprint string is the thumbprint from the user's certificate.

Username chrissmith thumbprint "BFEB 1701 6C2F 50AD BFF1 F49E 4FB8 4577 1277 16C5" # Hashes are comments

; Semi-colons or hashes are comments

Username billjones thumbprint "BFEB 1701 6C2F 50AD BFF1 F49E 4FB8 4577 1277 16C5" ; Semicolons are comments

Username lynngreen thumbprint "FCAF EF1C 4C0F D553 470E 5BBA D2E7 D1A0 D2B0 79BE"

Get username from certificate

Check this option to have VShell retrieve the username from the X.509 certificate.

Note: If this option is checked for any particular CA (issuer), then the username map file is optional.

When a certificate from that issuer is used, the username will be retrieved from the "Subject Alternative Name" field in the certificate.

Add and Delete Buttons

The Add button opens the Select Certificate dialog where you can choose a CA to add to the Issued To/Serial Number list.

The Delete button removes the selected CA from the Issued To/Serial Number list. It does not remove the CA file from your system.

Changes made to the CA configuration will not take effect until you press either the Apply or OK button.

Certificate revocation group

In addition to checking the validity of a user's certificate, VShell can also check to see whether a user's certificate or the certificates of the certificate authority (CA) that issued the user's certificate has been revoked.

Note: Checking for revoked certificates may cause the operating system to periodically contact remote CAs and download certificate revocation lists (CRLs) and other information. As a result, selecting the Check for revoked certificates option may enhance security, but it may also create network traffic or cause periodic delays while authenticating user certificates.

Check for revoked certificates

Checking this box allows VShell to perform certificate revocation checking for one of the three options listed below:

Check all certificates

Select this option to perform revocation checking on all the certificates in every chain. This option causes VShell to check for revocation of the user's certificate, the certificate of the CA that issued the user's certificate, any intermediate CA certificates, and the certificate of the root authority. This option provides the most extensive revocation checking.

Check all certificates except root certificate

Select this option to perform revocation checking on all the certificates in every chain except the root certificate. This option causes VShell to check for revocation of the user's certificate and for all intermediate CA certificates, but does not check for revocation of the root authority certificate. This option can be used when VShell is running on a machine that is not able to download CRL information for root authority.

Check only user certificates

Select this option to perform revocation checking on only the end certificate. This option causes VShell to only check for revocation of the end user certificate. This reduced checking may reduce overhead and still be sufficient in some environments.

Related Topics