Environment
Extra! X-treme version 9.0 SP1 or higher
Host Access Management and Security Server version 12.3 or higher
InfoConnect Desktop for Unisys
InfoConnect Desktop for Airlines
InfoConnect version 8.1 SP1 or higher
Reflection PKI Services Manager
Reflection Desktop
Reflection 2014
Reflection Desktop for IBM
Reflection for IBM 2014
Reflection for IBM 2011
Reflection for IBM version 14.x
Reflection Desktop for UNIX and OpenVMS
Reflection for UNIX and OpenVMS 2014
Reflection for UNIX and OpenVMS 2011
Reflection for UNIX and OpenVMS version 14.x
Reflection for HP version 14.x
Reflection for Secure IT Windows Client version 7.2 or higher
Reflection for the Web (All Editions) version 12.2 or higher
Reflection for the Web 2014 (All Editions)
Reflection for the Web 2011 (All Editions)
Reflection for the Web 2008 (All Editions) R3
Reflection FTP Client
Reflection ZFE version 2.0 or higher
Host Access Management and Security Server version 12.3 or higher
InfoConnect Desktop for Unisys
InfoConnect Desktop for Airlines
InfoConnect version 8.1 SP1 or higher
Reflection PKI Services Manager
Reflection Desktop
Reflection 2014
Reflection Desktop for IBM
Reflection for IBM 2014
Reflection for IBM 2011
Reflection for IBM version 14.x
Reflection Desktop for UNIX and OpenVMS
Reflection for UNIX and OpenVMS 2014
Reflection for UNIX and OpenVMS 2011
Reflection for UNIX and OpenVMS version 14.x
Reflection for HP version 14.x
Reflection for Secure IT Windows Client version 7.2 or higher
Reflection for the Web (All Editions) version 12.2 or higher
Reflection for the Web 2014 (All Editions)
Reflection for the Web 2011 (All Editions)
Reflection for the Web 2008 (All Editions) R3
Reflection FTP Client
Reflection ZFE version 2.0 or higher
Situation
The Attachmate applications listed in the Environment section support the
use of X.509 certificates for authentication. This technical note
provides a detailed list of which certificate fields are checked, and
what requirements must be met for a certificate to be accepted as valid.
Resolution
Requirements for All Certificates
The following version 1 fields MUST all contain valid data.
| Field |
Validation information for this field and its attributes |
| Version |
Version 3 is required for user or
server certificates. The version accepted for CA certificates is
configurable, but by default version 1 certificates are rejected. |
| Serial number |
Used in combination with Issuer to identify this certificate for revocation checking. |
| Issuer |
Used to build the chain of trust for this certificate. -and- Used in combination with Serial number to identify this certificate for revocation checking. |
| Subject |
The CN attribute is used to determine
the identity of the entity presenting this certificate. (Note: In some
certificates, the Subject Alternate Name extension is used as an
alternate method of specifying identity.) |
| Valid from Valid to |
Used to determine if the certificate is within the valid time period. |
| Signature algorithm Signature hash algorithm |
Provides information required to decrypt the certificate's signature. |
| Public key |
Used to decrypt the digital signatures from the certificate owner. |
Requirements for CA Certificates
Certification Authority (CA) certificates must meet the following version 3 extension requirements in addition to the version 1 requirements listed in Requirements for All Certificates.
| Field |
Validation information for this field and its attributes |
| Basic Constraints |
MUST be set as a critical extension. Subject type MUST be set to CA. Path Length Constraint is not required. If present, it will be used to check the length of the chain. |
| Key Usage |
MUST be present. May be set as a critical extension. MUST include Certificate signing. May also include CRL signing, Off-line CRL Signing, Digital Signature. (These attributes may be required if the CA server also issues CRLs or OCSP responses.) |
| Authority Information Access |
Not required. If present, it can be used to retrieve the issuer certificate and/or determine OCSP responder servers. |
| CRL Distribution Points |
Not required. If present, it can be used to retrieve CRLs. |
| Certificate Policies |
Not required. May contain one or more policy OIDs, which, if present, must also be present in the Certificate Policies field of other certificates up and down the chain of trust. |
Requirements for SSL, TLS, and FTPS Server Certificates
Certificates used to authenticate SSL, TLS, and FTPS servers must meet the following version 3 extension requirements in addition to the version 1 requirements listed in Requirements for All Certificates.
| Field |
Validation information for this field and its attributes |
| Key Usage |
May be present, but not required. If present: MUST include Digital Signature and Key Encipherment. May also include Non Repudiation, Data Encipherment and others, but these are ignored. |
| Extended Key Usage (Enhanced Key Usage is an equivalent name.) |
May be present, but not required. If present: MUST include Server authentication. |
| Authority Information Access |
Not required. If present, it can be used to retrieve the issuer certificate and/or determine OCSP responder servers. |
| CRL Distribution Points |
Not required. If present, it can be used to retrieve CRLs. |
| Certificate Policies |
Not required. May contain one or more policy OIDs, which, if present, must also be present in the Certificate Policies field of other certificates up the chain of trust. |
| Subject Alternative Name |
Not required. May be used to determine alternate names for the server presenting the certificate using either the dNSName or iPAddress attributes. |
Requirements for Secure Shell (SSH) and SFTP Server Certificates
Certificates used to authenticate Secure Shell (SSH) and SFTP servers must meet the following version 3 extension requirements in addition to the version 1 requirements listed in Requirements for All Certificates.
| Field |
Validation information for this field and its attributes |
| Key Usage |
May be present, but not required. If present: MUST include Digital Signature and Key Encipherment. May also include Non Repudiation, Data Encipherment and others, but these are ignored. |
| Extended Key Usage (Enhanced Key Usage is an equivalent name.) |
May be present, but not required. If present: MUST include Server authentication. |
| Authority Information Access |
Not required. If present, it can be used to retrieve the issuer certificate and/or determine OCSP responder servers. |
| CRL Distribution Points |
Not required. If present, it can be used to retrieve CRLs. |
| Certificate Policies |
Not required. May contain one or more policy OIDs, which, if present, must also be present in the Certificate Policies field of other certificates up the chain of trust. |
| Subject Alternative Name |
Not required. May be used to determine alternate names for the server presenting the certificate using either the dNSName or iPAddress attributes. |
Requirements for User Certificates
Certificates used to authenticate client users must meet the following version 3 extension requirements in addition to the version 1 requirements listed in Requirements for All Certificates.
| Field |
Validation information for this field and its attributes |
| Key Usage |
May be present, but not required. If present: MUST include Digital Signature. May also include Non Repudiation, Data Encipherment and others, but these are ignored. |
| Extended Key Usage (Enhanced Key Usage is an equivalent name.) |
May be present, but not required. If present: MUST include Client authentication. |
| Authority Information Access |
Not required. If present, it can be used to retrieve the issuer certificate and/or determine OCSP responder servers. |
| CRL Distribution Points |
Not required. If present, it can be used to retrieve CRLs. |
| Certificate Policies |
Not required. May contain one or more policy OIDs, which, if present, must also be present in the Certificate Policies field of other certificates up the chain of trust. |
| Subject Alternative Name |
Not required. May be used to determine alternate names for the user presenting the certificate using the rfc822Name or otherName attributes. |