# Trust Keys and Certificates
To trust an SSH public key or an X.509 Certificate, go to **Setup** → **Untrusted Caches** menu, select the 3-dot icon and then the **Trust** entry.
A confirmation message will appear. Click **CONFIRM** to validate.
{% hint style="info" %}
Once an entry is trusted, you will find it in the Trust Store.
{% endhint %}
## When should the Keys tab be used?
The **Setup** → **Untrusted Caches** → **Keys tab** lists keys not yet trusted and must be used in these scenarios:
1. **Data Mover SFTP Client connects to an external SFTP server**:
* If not already trusted, the key exposed by the external server is saved.
| Column | Description |
| ---------- | ------------------------------------------------------------------------------------------------ |
| Name | The syntax of the name is:
\[key hash]-\[ip and port used for remote connection]-S.pub
|
| Subject DN | This column displays the IP and port used for remote connection |
| Type | **SSH Host Key** is displayed in this column |
2. **Data Mover SFTP Server receives a connection from an external SFTP client**:
* If this client is not already trusted, its key is saved in this repository.
| Column | Description |
| ---------- | -------------------------------------------------------------- |
| Name | The syntax of the name is:
\[key hash]-\[user]-C.pub
|
| Subject DN | This column displays the username of the SFTP client |
| Type | **SSH User Key** is displayed in this column |
## When should the Certificates tab be used?
The **Certificates tab** lists certificates not yet authenticated and must be used in these scenarios:
1. **Data Mover SSL Client** (all remote connections over SSL) **connects to a server on SSL protocol.** The exposed certificate and its chain (depending on the counterpart server) are saved in this repository only if not already trusted.
{% hint style="danger" %}
#### Warning!
A successful Client Connection on SSL protocol requires the trust of the entire certification chain related to that protocol. A chain of trust cannot be completed without a trust anchor issued by a Certificate Authority.\
\
For safety reasons, a remote SSL server is only allowed to send end-entity and intermediate certificates, but CA trust anchors must be provided separately. To complete the chain, you must manually import a secure and trustworthy CA trust anchor. Be careful to import only reliable and proven CA trust anchors as it is impossible to recognize fake certificates issued by a malicious CA once its certificate has been trusted. With great power comes great responsibility!\
\
To import a certificate go to the **Setup** → **Trust Stores** → **Certificates** tab and click the **IMPORT** button. Once you have imported the CA trust anchor and trusted all intermediate and end-entity certificates, the Client Connection can be established successfully.
{% endhint %}
2. **Data Mover SSL Server** (all servers exposed in SSL) **receives a connection from a client over SSL protocol** that requires client authentication. The certificate is saved in this repository only if not already trusted.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.primeur.com/data-mover-1.21/security/key-stores-and-trust-stores/trust-keys-and-certificates.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.