Generate/VShellIcon.gif  X.509 Certificate Mapping and Validation

Certificate Mapping

X.509 is a proposed standard used for generating digitally-signed public-key authentication certificates that can be used for authentication in supporting Secure Shell systems. VShell matches an X.509 certificate to a user on your system via a map file. If a match is confirmed, VShell authenticates and logs in the user. Certificate mapping eliminates the need to deposit certificates on the VShell server , facilitating deployment of digital certificates in large organizations. As certificates are granted by the CA, the map file stored on the VShell server is updated manually by the administrator.

The certificate mapping process follows these steps:

1.   The end user's Secure Shell client (e.g., SecureCRT) presents a digital certificate.

2.   VShell looks up the issuing CA from the user's certificate and checks for a map file associated with that CA.

3.   VShell looks in the map file for a line that matches a thumbprint from the user's certificate to a user name.


If a match is found, the user is logged in with privileges associated with their Windows ACL profile. If a map file match is not found, VShell drops back to the file-based approach and looks in its public key folder for the user's *. cer file.

Using X.509 digital certificates also enables the use of highly secure two-factor authentication tools including smart cards and tokens.

Certificate Validation

VShell has the ability to use a map file stored on the server to check the validity of an X.509 digital certificate with a Certification Authority (CA) or chain of authorities. Certificate checking "walks the certificate chain" and verifies the validity of X.509 certificates with their CA.

The process follows these steps:

1.   The Secure Shell client (e.g., VanDyke Software's SecureCRT®) presents a certificate to authenticate itself.

2.   VShell checks for the validity of the certificate and optionally checks the Certificate Revocation List (CRL) to determine if the certificate has been revoked. VShell then looks in a map file associated with the CA to match the certificate with a username (see "Certificate Mapping" below).

3.   VShell verifies the signature on the certificate generated by the user's private key and, if successful, logs the user in.


Related Topics