1. art and entertainment
2. books and literature

Creating SSL certificates
for printing with ThinPrint
Technical Information
ThinPrint GmbH
Alt-Moabit 91 a
10559 Berlin
Germany / Alemania
Cortado, Inc.
7600 Grandview Avenue
Suite 200
Denver, Colorado 80002
USA / EEUU
Cortado Pty. Ltd.
Level 20, The Zenith Centre,
Tower A
821 Pacific Highway
Chatswood, NSW 2067
Australia
E-Mail: [email protected]
Web: www.thinprint.com
Issued: April 9, 2015 (v45)
Notes
© Copyright
This document is the intellectual property of ThinPrint GmbH. This document may be copied in whole or
in part, provided this Copyright notice is included in every copy.
® Registered trade marks
All hardware and software names mentioned in this document are the registered trademarks of their
respective companies or should be regarded as such.
Safety warning
All ThinPrint products are pure software solutions. Please note the safety warnings in the technical documentation from your hardware vendor and from the manufacturer of each device and component.
Before beginning installation, we recommend closing all windows and applications and deactivating any
virus scanner.
© ThinPrint GmbH 2015
2
Technical information
Contents
General information about SSL encryption
.................................................... 4
What certificate do I need? .............................................................................................. 4
Encrypted printing by exchanging certificates ..................................................................... 4
Where do I find suitable certificates? ................................................................................ 5
How do I create certificates? ............................................................................................ 6
What key length is safe? ................................................................................................. 6
Creating and installing certificates
.................................................................... 7
1. Setting up a certification server and creating root certificate ............................................. 7
2. Client certificate request and issue ............................................................................. 12
3. Download and install client certificate ......................................................................... 15
Client certificate: user- or machine-based? .................................................................. 18
4. Exporting the root certificate ...................................................................................... 22
6. Distributing root certificate to servers .......................................................................... 24
7. Installing a server certificate ...................................................................................... 27
Configuring ThinPrint Engine
............................................................................ 30
Encryption Settings ....................................................................................................... 30
Enabling encryption (per ThinPrint Port) .......................................................................... 31
Configuring ThinPrint Client
.............................................................................. 31
© ThinPrint GmbH 2015
Appendix: Trouble shooting ................................................................................ 32
Technical information
3
General information about SSL encryption
General information about SSL encryption
What certificate do I need?
SSL/TLS1 encryption is available for printing with ThinPrint. This requires three various certificates:
• A client certificate (per client machine)
• A server certificate (per server)
• A root certificate (per server)
The client and server certificates are signed by the root certificate (or signer certificate). The client certificate is installed onto the machine2 on which ThinPrint Client
is running. Server and root certificate are installed on the server on which ThinPrint
Engine is installed. Encryption is set for each port.
A certification authority is set up on the certification server and a root certificate
is created. Then, client and server certificates can be requested from the certification
server.
The root certificate can likewise be obtained, either by download or imported and
then distributed to all servers in a farm.
You can set up your own certification server or purchase root certificates from an
official root certification authority. Root certificates from recognized certificate
authorities are in most cases already integrated in the operating system (see Illus. 39
on Page 26) and do not have to be created or imported. It is then only necessary to
request client and server certificates from the relevant provider.
Encrypted printing by exchanging certificates
Print data is compressed and then encrypted and sent from the ThinPrint Engine to
the ThinPrint Client – regardless of the protocol in use (TCP/IP or ICA/RDP). In other
words, the data is encrypted independently of and in addition to a (ICA/RDP) virtual
channel encryption. ThinPrint encrypts the individual print jobs, whereas terminal
sessions encrypt the (ICA/RDP) channel. Encryption especially makes sense where
data is sometimes sent via TCP/IP, as when using a central print server. With ThinPrint, data is encrypted by the server and decrypted by the ThinPrint Client.
SSL encryption prevents
• Third parties from spying
• Print data from being sent to the wrong recipient
4
1
Secure Socket Layer/ Transport Layer Security
2
or SSL-capable print box (print server), see Page 12.
Technical information
ssl_e.fm
© ThinPrint GmbH 2015
Print data should not be sent to the wrong client. That means that the client machine
must prove that it is authorized to receive print data from the server. This is ensured
by the client certificate, which is signed by the server's root certificate (signer certificate).
The following illustration (Illus. 1) depicts the communication between server and
client (called handshaking) that precedes the transmission of encrypted print data.
General information about SSL encryption
Please note that this is a simplified illustration of the communication; the main focus
is the use of certificates.
Illus. 1
Illus. 1
Server-client communication flow for sending encrypted print data (simplified illustration)
The server notifies the client that an encrypted print job is waiting. The client answers
and confirms whether it can accept encrypted data and which cryptographic algorithm it understands (e.g., TLS 1.0). The server then sends its server certificate and
its own list of the algorithms it understands. The server certificate is only necessary
for the so-called handshake, where client and server authenticate each other. In addition, the server demands the client certificate. The client sends its client certificate
with the public key. The server checks whether the client certificate has been signed
by the root certificate.
The server now creates a session key. This is a temporary key that is created anew
for each print job and loses its validity once the print data has been delivered. This
key is composed of different, random numbers created by the client and server. The
server encrypts this session key with the public key that it sent to the client. The client, in turn, can decode the session key using its private key (asymmetric encryption). The entire print data transmission is now encrypted with the new session key.
This already begins with the announcement of a pending packet and the header information.
Where do I find suitable certificates?
There are three ways to get the right certificates:
© ThinPrint GmbH 2015
1. Create the certificates yourself (described below).
2. Certificates from a certification authority.
3. Request your own certification authority.
SSL certificates can be purchased from one of the recognized certificate authorities.
For larger companies, it might be more economical to request your own (sub) certissl_e.fm
Technical information
5
General information about SSL encryption
fication authority so that additional certificates can be created and signed independently.
We recommend the first option; namely, creating the certificates yourself. In addition to being less expensive, it is also safer, because a certificate that is already found
in the browser's root directory could pose a security threat. Under the usual, current
operating systems, this directory contains several dozen certificates by default.
Before establishing a secure connection, the server first checks whether it has signed
the client certificate. Because all clients that have received a certificate signed by this
certification authority meet this criterion, an unauthorized client may also receive
data from a foreign server. To do so, though, this client must also be configured to a
port that sends encrypted print data. Rerouting print data to an incorrect client would
also require server manipulation.
For this reason, we recommend creating certificates yourself.
How do I create certificates?
SSL certificates are based on the X.509 norm. There are various tools that can be
used to create them, such as Open SSL or the certificate services from Microsoft. Create both a root certificate and client certificate. The latter, usually available as a .pem
or .der file (with OpenSSL), must be signed by the root certificate and then converted
to .p12, .pfx, or .crt or other file format that is understood by Microsoft. Specify the
encryption depth when creating the certificate).
Next, create a server certificate the same way you created a client certificate. You
then have three certificates – a server, a client, and a root certificate – whereby the
client and server certificates both signed by the root certificate.
The root certificate can be used for all of your servers. You should create a separate
client and server certificate for each client and each server, however. The root certificate can be used for all of your servers. New client and server certificates must be
created for each client and each server, though.
What key length is safe?
6
Technical information
ssl_e.fm
© ThinPrint GmbH 2015
When you create certificates yourself or purchase them, the encryption depth influences the security. The longer the key, the more work it takes for unauthorized people
to decode it.
SSL encryption combines symmetric and asymmetric encryption methods, which
require different key lengths. Symmetric means that sender and recipient both use
the same key; with asymmetric encryption, they use different ones.
The session key with which print data is encrypted is a symmetrical key. Here, a
key length of 128-bit is considered safe.
The session key is encrypted asymmetrically and sent with the print data. For this
transmission, a length of 1024-bit is considered safe. This message is decoded with
the client's private key, which was saved in the certificate store on the client machine
when the certificate was created.
Creating and installing certificates
Creating and installing certificates
Besides the method described here, you can also create certificates with Open SSL.
Here, we will show you how to create certificates using the example of Windows
server 2008 R23. Below are step-by-step instructions for setting up a certification
server, creating a root certificate, and requesting client and server certificates from
the certification server. You must have administrator permissions on the server.
Certification server
It is recommended to set up a certification server that is only responsible for certification and no other programs are running. The certification authority is set up on this
server and the root certificate is created. The client and server certificates are
requested and issued here. Once this operation (as in Illus. 4) is complete and all
certificates have been distributed to the server and clients, the certification server can
be turned off - until a new certificate is needed. The root certification authority on the
certification server is computer- and domain-specific and cannot be stored on
another computer.
1. Setting up a certification server and creating root certificate
– On the certification server, go to START→ ADMINISTRATIVE TOOLS → SERVER MANAGER. Now select ROLES and then, on the Roles Summery, click ADD ROLES.
Illus. 2
© ThinPrint GmbH 2015
Illus. 2
3
ssl_e.fm
Select server roles: enabling AD CERTIFICATE SERVICES and WEB SERVER (IIS)
For more detailed information about Microsoft Certificate Services, please also refer to the Microsoft documentation.
Technical information
7
Creating and installing certificates
– Select ACTIVE DIRECTORY CERTIFICATE SERVICES and WEB SERVER (IIS) (Illus. 2).
Also select FILE SERVICES (IF IT’S NOT ALREADY INSTALLED).
– The root certificate is computer-specific. For this reason, you receive a message
informing you that changing the machine name or domain membership would
invalidate the certificates issued from the CA. Confirm this message.
Illus. 3
Illus. 3
Select role services for AD Certificate Service
– You then have to select the Role Services that have to be installed for the Active
Directory Certificate Services. Select CERTIFICATION AUTHORITY and CERTIFICATION AUTHORITY WEB ENROLLMENT (Illus. 3).
Illus. 4
Add role services for WEB SERVER (IIS)
– You will receive a message (Illus. 4), to add required Role Services (for the Certification Authority Web Enrollment). Click to confirm this action.
8
Technical information
ssl_e.fm
© ThinPrint GmbH 2015
Illus. 4
Creating and installing certificates
Illus. 5
Illus. 5
Specify CA type: selecting ROOT CA
– In the next window, setup type of Certification Authority. Select STAND-ALONE
and click NEXT.
– In the following window (Illus. 5), specify the type of certificate. Select ROOT CA
and click NEXT. In the following dialog select CREATE A NEW PRIVATE KEY AND
CLICK NEXT.
© ThinPrint GmbH 2015
Illus. 6
Illus. 6
ssl_e.fm
Configure cryptography for CA
Technical information
9
Creating and installing certificates
– Then configure the Cryptography for the new, private Key.
– Select a cryptographic service provider, the key character length and the hash
algorithm. Retain the default settings, as required (Illus. 6).
Illus. 7
Illus. 7
Configure CA name
– Then give the Certification Authority a common name (Illus. 7). In the following
dialog you can specify the length of its validity; for example, five years, and click
NEXT.
Illus. 8
10
© ThinPrint GmbH 2015
Illus. 8
Configure certificate database
Technical information
ssl_e.fm
Creating and installing certificates
– You will be prompted to specify a location for saying the data. You can accept
the preset path and simply click NEXT (ILLUS. 10).
– Now Web Server (IIS) is added as Role, confirmed with NEXT. Retain the default
Role Services in the next dialog (Illus. 9) and then click NEXT.
Illus. 9
Illus. 9
Role WEB SERVER (IIS): Selected role services
In the last dialog: CONFIRM INSTALLATION SELECTION you will be informed that the
server must be restarted after installation and that the computer name and domain
settings can not be changed. Click on INSTALL to start the process.
You have now installed a root certification authority (or CA/certification authority)
on your server. That means that the root certificate can now sign and issue client and
server certificates.
Illus. 10
© ThinPrint GmbH 2015
Illus. 10
Certification authority on the server
The certification authority that you set up in the first step can be found under START
→ ADMINISTRATIVE TOOLS→ CERTIFICATION AUTHORITY (Illus. 10).
You will see the newly created root certificate, which can be downloaded and then
distributed to all servers.
ssl_e.fm
Technical information
11
Creating and installing certificates
2. Client certificate request and issue
The next step is to create client certificates. These are requested from the client by
the certification authority (certification server), signed by the newly created root certificate, and authorized by the server.
Request client
certificate
Below, you will find a description in which a client certificate is issued by the certificate server and then exported to a client computer.
– On the client machine, start an internet browser (Internet Explorer) and open
the server's website. After the server IP address or host name, enter „/CERTSRV“,
for example, HTTP://LOCALHOST/CERTSRV. If you cannot open the website, check
that the Role Web Server (IIS) is running on the server4.
Illus. 11
Illus. 11
Certificates server website: request a certificate
– Once the website is open, request the client certificate by selecting REQUEST A
CERTIFICATE (Illus. 11).
12
If the website cannot be reached, correct possible error sources: Check on the server, if under AD
Certificate Services the ROLE SERVICES: CERTIFICATION AUTHORITY AND CERTIFICATION AUTHORITY
WEB ENROLLMENT are enabled (Illus. 3). Synchronize date and time on all associated computers.
Stop any other services running on port 80.
Technical information
ssl_e.fm
© ThinPrint GmbH 2015
4
Creating and installing certificates
Illus. 12
Illus. 12
Certificates server website: choose request type
– You will be prompted to specify the type of certificate. Select, for example, WEB
BROWSER CERTIFICATE. The certificate type is irrelevant here, because ThinPrint
Engine does not check whether the certificate meets certain conditions; it
checks whether the certificate has been signed by the root certificate.
Illus. 13
Illus. 13
Certificates server website: click more options
© ThinPrint GmbH 2015
– The IDENTIFYING INFORMATIONS page appears. Click button MORE OPTIONS
(Illus. 13) at the bottom and then the USE THE ADVANCED CERTIFICATE REQUEST
5
FORM link. Scroll down to the following page (Illus. 14):
5
ssl_e.fm
If the above link is not enabled, change the security settings in your browser (enable scripting,
set website as trusted site, activate Active X Control under TOOLS→ INTERNET OPTIONS→ SECURITY→ CUSTOM LEVEL...).
Technical information
13
Creating and installing certificates
Illus. 14
Illus. 14
Certification server website: mark keys as exportable
– Fill in the text boxes at the top. Accept all of the default settings below except
for one. It is important to place a checkmark by MARK KEYS AS EXPORTABLE, as
in Illus. 14. Confirm your input by clicking SUBMIT at the very bottom of the
page.You receive a message stating that you should only allow trustworthy websites to request a certificate and will be asked whether you want to request a
certificate. Confirm with YES.
Illus. 15
Illus. 15
Certification server website: certificate successfully requested
You will receive a message confirming that the certificate request was successful
(Illus. 15). You do not have to wait ten days; you only have to wait until the certification server administrator has issued the certificates (Page 15).
Gateway Appliance
as Client
Technical information
ssl_e.fm
© ThinPrint GmbH 2015
14
As well as on Windows PCs, encrypted printing is also possible on ThinPrint Gateway
appliances that are equipped with an integrated ThinPrint Client and therefore capable of decoding print jobs. This is the case with, for example, the TPG-25/65/125
and ISD300/4x0 appliances from SEH. Here, the client certificate is requested from
the appliances website. For information on how to do so, please refer to the technical
documentation SEH TPG as a ThinPrint Client Gateway or to SEH ISD as a ThinPrint
Client Gateway.
Creating and installing certificates
Issue client certificate
– In order to issue the newly requested client certificate, click START→ ADMINISTRATIVE TOOLS on the certification server to open the folder CERTIFICATION
AUTHORITY. Under PENDING REQUESTS, you will find the certificate requests
(arrow in Illus. 16).
– Choose the certificate and right click to select ALL TASKS→ ISSUE (ILLUS. 16).
You have now created the client certificate and signed it with the server's root
certificate.
Illus. 16
Illus. 16
Server certification authority: issue certificate in Folder PENDING REQUESTS
Illus. 17
Server certification authority: issued certificate in ISSUED CERTIFICATES
FOLDER
Illus. 17
– The client certificate disappears from the PENDING REQUESTS folder and is now
found under ISSUED CERTIFICATES (arrow in Illus. 17).
3. Download and install client certificate
© ThinPrint GmbH 2015
You can now get the certificate issued by the root certification authority from the certification server's website.
ssl_e.fm
Technical information
15
Creating and installing certificates
– Open the same browser with which you submitted the certificate request
(Illus. 11) and enter the server website again (example: HTTP://LOCALHOST/CERTSRV).
Illus. 18
Illus. 18
Server website: view status of pending certificate
– This time, select: VIEW THE STATUS OF A PENDING CERTIFICATE REQUEST on the
website (Illus. 18).
Illus. 19
Illus. 19
Server website: select issued certificate
– You will be given a list of certificates that have been issued by the server
(Illus. 19). Select your certificate.
Illus. 20
Illus. 20
Server website: install issued certificate
16
Technical information
ssl_e.fm
© ThinPrint GmbH 2015
– You will receive a message confirming that the certificate was issued. Install this
certificate onto the client machine by clicking the link in the message
(Illus. 20). A security warning appears, asking whether you trust this website.
Confirm with YES.
Creating and installing certificates
Illus. 21
Illus. 21
Server website: certificate successfully installed
– You will receive a message confirming that the certificate was installed successfully (Illus. 21). You can now close the browser. The certificate is valid for one
year.
– You can find the client certificate in the MMC if you add CERTIFICATES→ CUR6
RENT USER as Snap-in. Select CERTIFICATES→ CURRENT USER→ PERSONAL→
CERTIFICATES (Illus. 22).
Illus. 22
Illus. 22
MMC of the client: find client certificate
– Double click the certificate (Illus. 22) to open it (Illus. 23).
Here you can see that the purpose of the certificates is authentication at the server.
It is important that there is a private key for this certificate.
© ThinPrint GmbH 2015
Illus. 23
Illus. 23
6
ssl_e.fm
Certificate for which there is a private key
For machine-based certificates, see Page 18.
Technical information
17
Creating and installing certificates
Client certificate: user- or machine-based?
Before you import the client certificate to a client machine (see Illus. 22 on Page 17)
you must decide whether you wish to save your certificate as user- or machine-based.
• User-based: If only one person uses the machine, import the certificate to the
user storage: CERTIFICATES- CURRENT USER→ PERSONAL. This means the client
certificate is bound to the current user and is located in their certificate storage
(see Illus. 24, above).
• Machine-based: If several people use one machine (or, if in addition to a user
account, there is an administrator account) you can save the certificate
machine-specific in the container CERTIFICATES→ COMPUTER ACCOUNT→ LOCAL
COMPUTER (see ILLUS. 24, down). One certificate per client machine is sufficient
for all users who share this machine.
Note! If you save your certificate as machine-specific (at CERTIFICATES→ COMPUTER ACCOUNT→ LOCAL COMPUTER) you must then issue rights of use for
encryption on the client machine (see the paragraph Assigning rights to use
encryption on client machines, PAGE 21) and set the CERTSTORE registry key
to “1” (ILLUS. 49, Arrow right).
Illus. 24
Illus. 24
In the following example, the certificate is saved as machine-based. Then, you can
see at what point user rights have to be issued.
– Open the MMC on your client machine and select the snap-in CERTIFICATES→
COMPUTER ACCOUNT→ LOCAL COMPUTER.
18
Technical information
ssl_e.fm
© ThinPrint GmbH 2015
Use
machine-based
client certificate
MMC of the client: save certificate as user- or machine-based
Creating and installing certificates
Illus. 25
Illus. 25
MMC of the client: import client certificate
– In the store under CERTIFICATES - LOCAL COMPUTER, mark the PERSONAL\CERTIFICATE folder and select ALL TASKS→ IMPORT from the context menu (Illus. 25).
The CERTIFICATE IMPORT WIZARD opens.
Illus. 26
Illus. 26
Importing a certificate: entering source file
© ThinPrint GmbH 2015
– Enter the path to the exported .pfx file and click NEXT (ILLUS. 26).
ssl_e.fm
Technical information
19
Creating and installing certificates
Illus. 27
Illus. 27
Importing a certificate: entering password
– Because the private key is password protected, you need to enter the password
(see Illus. 27). Next, mark the private key as exportable (place a checkmark) if
the certificate may be installed later on another machine (Illus. 27).
Illus. 28
Illus. 28
Importing a certificate: selecting certificate store
– In the second option, the path to the certificate store to which the certificate is
to be imported is already entered (PERSONAL). Confirm with NEXT (ILLUS. 28).
Close the CERTIFICATE EXPORT WIZARD with FINISH in the last window. You will
receive a message stating that the import was successful.
The imported certificate can now be found in the MMC (Illus. 29). If necessary,
refresh the list with ACTION in the menu.
© ThinPrint GmbH 2015
20
Technical information
ssl_e.fm
Creating and installing certificates
Illus. 29
Illus. 29
Assigning rights to
use encryption on
client machines
MMC on the client: imported client certificate
If you have bound your client certificate to the computer (as described in the previous
step), and thus imported it to the node CERTIFICATES (LOCAL COMPUTER), you can now
assign rights for the individual users of the workstation.
– In the context menu of the imported certificate, select ALL TASKS→ MANAGE PRIVATE KEYS... (Illus. 30).
Illus. 30
Illus. 30
Client certificate in the memory of the client computer (machine store)
© ThinPrint GmbH 2015
This takes you to the rights of the client certificate:
ssl_e.fm
Technical information
21
Creating and installing certificates
Illus. 31
Illus. 31
Setting the rights of the client certificate: adding users
– Using the ADD... button, add the users or user groups who shall print with ThinPrint encryption and give each of them reading rights at the very least
(Illus. 31).
To print with encryption, after you have imported the client certificate onto the client
machine, you will also need to make a registry entry. You can read how to do that
under Configuring ThinPrint Client on Page 31.
4. Exporting the root certificate
The certification server's root certificate is installed on all servers that will send print
data encrypted with ThinPrint Engine to a ThinPrint Client. The root certificate can
be downloaded from the certification server and its file distributed to all other servers.
On one of the servers that need the certificate, open the browser and enter the certification server's website with the extension /CERTSRV (like when requesting the client certificate, Illus. 11). This time, select: DOWNLOAD A CA CERTIFICATE, CERTIFICATE
CHAIN, OR CRL.
Alternatively, you can export and store the root certificate, then import it on all
servers. This is described in the following.
– Open the MMC on the certification server. Locate the root certificate in the store
CONSOLE ROOT→ CERTIFICATES- CURRENT USER→ TRUSTED ROOT CERTIFICATION
AUTHORITIES→ CERTIFICATES. In the context menu, click on ALL TASKS→
EXPORT... (Illus. 32).
© ThinPrint GmbH 2015
22
Technical information
ssl_e.fm
Creating and installing certificates
Illus. 32
Illus. 32
Certification server: EXPORT root certificate
– Then select a format for the exported certificate. The file then has the extension
.cer. That means that the certificate contains a public key, there is no private
one for it. Then click on NEXT (Illus. 33).
Illus. 33
Certificate export wizard: select file format
© ThinPrint GmbH 2015
Illus. 33
ssl_e.fm
Technical information
23
Creating and installing certificates
– Enter a file name that is neither too short nor too general7; Save the file centrally, so that you can access it from your (print) servers for encrypted printing
(Illus. 34).
Illus. 34
Illus. 34
Certificate export wizard: select file name
– In the following dialog, click FINISH.
– The root certificate is the same for all servers in a farm and can also be distributed by script.
6. Distributing root certificate to servers
Importing root certificate
on server
Now you need to import your root certificate onto a server that you want to use for
encrypted printing.
Illus. 35
Illus. 35
24
In the Microsoft certificate services, the first certificate is selected that contains the given string
sequence. With names like certificate or root, a certificate other than the desired certificate
could be selected, which will create an error message during printing.
Technical information
ssl_e.fm
© ThinPrint GmbH 2015
7
Server: import root certificate
Creating and installing certificates
– Open the MMC on the server. In the container CONSOLE ROOT→ CERTIFICATES
(LOCAL COMPUTER)→ TRUSTED ROOT CERTIFICATES→ CERTIFICATES, select: ALL
TASKS→ IMPORT from the context menu (Illus. 35).
Illus. 36
Illus. 36
CERTIFICATE IMPORT WIZARD:installation of the imported root certificate
– The CERTIFICATE IMPORT WIZARD opens. Click the button BROWSE and then select
your recently exported root certificate (Illus. 36).
Illus. 37I
© ThinPrint GmbH 2015
Illus. 37
CERTIFICATE IMPORT WIZARD: select certificate store
– Select the option PLACE ALL CERTIFICATES IN THE FOLLOWING STORE and click on
the BROWSE button (Illus. 37).
ssl_e.fm
Technical information
25
Creating and installing certificates
– In the next window, select the location where the root certificate is to be stored.
Enable SHOW PHYSICAL STORES, select TRUSTED ROOT CERTIFICATION AUTHORITIES
and then Container LOCAL COMPUTER (Illus. 38):
Illus. 38I
Illus. 38
Select certificate store: TRUSTED
ROOT CERTIFICATION AUTHORITIES, LOCAL COMPUTERS
– If the correct path is shown in Illus. 37, click NEXT and then, in the next window, FINISH. You will get the message: THE IMPORT WAS SUCCESSFUL.
– The imported certificate is found in the MMC under the snap-in CERTIFICATES
(LOCAL COMPUTER)→ TRUSTED ROOT CERTIFICATES. If this snap-in is not available, add it. To do so, open the MMC from the command prompt and select:
CONSOLE→ ADD/ REMOVE SNAP-IN→ ADD→ CERTIFICATES→ ADD→ COMPUTER
ACCOUNT→ FINISH→ CLOSE.
If you cannot find the certificate, mark the CERTIFICATES folder (as in Illus. 39) and
select ACTION→ REFRESH from the menu list.
Illus. 39
Illus. 39
MMC of the server: root certificate under CERTIFICATES (LOCAL COMPUTER),
TRUSTED ROOT CERTIFICATION AUTHORITIES
© ThinPrint GmbH 2015
26
Technical information
ssl_e.fm
Creating and installing certificates
– Double click the certificate to view it (Illus. 40).
Illus. 40
Illus. 40
Root certificate of an own certification authority
7. Installing a server certificate
The server certificate request is sent from the server via a website to the certification
server. This functions exactly the same as requesting a client certificate (see 2. Client
certificate request and issue, Page 12.
To print with encryption with the server certificate, it must be imported into the
correct print spooler in the MMC.
Importing a
server certificate
to the print service
– To save the .pfx file in the correct store, open the MMC and select the snap-in
CERTIFICATES - SERVICE (PRINT SPOOLER). If this snap-in is not available, add it.
To do so, open the MMC from the command prompt and select: CONSOLE→
ADD/REMOVE SNAP-IN→ ADD→ CERTIFICATE→ ADD→ SERVICE ACCOUNT→
NEXT→ LOCAL COMPUTER→ PRINT SPOOLER→ FINISH→ CLOSE.
© ThinPrint GmbH 2015
Illus. 41
Illus. 41
ssl_e.fm
MMC of the server: import a server certificate
Technical information
27
Creating and installing certificates
– In the store under CERTIFICATES - SERVICE (PRINT SPOOLER), mark the
SPOOLER\PERSONAL folder and select ALL TASKS→ IMPORT from the context menu
(Illus. 41). The CERTIFICATE IMPORT WIZARD opens (Illus. 42).
Illus. 42
Illus. 42
Importing a certificate: entering source file
Enter the path to the exported .pfx file (see section 4, Page 22) and click NEXT
(ILLUS. 42).
Illus. 43
Illus. 43
Importing a certificate: entering password
© ThinPrint GmbH 2015
28
Technical information
ssl_e.fm
Creating and installing certificates
– Because the private key is password protected, you need to enter the password
(see Illus. 27). Next, mark the private key as exportable (place a checkmark) if
the certificate is to be exported later on (Illus. 43).
Illus. 44
Illus. 44
Importing a certificate: selecting certificate store
– In the second option, the path to the certificate store to which the certificate is
to be imported is already entered (SPOOLER\PERSONAL). Confirm with NEXT
(ILLUS. 44). Close the CERTIFICATE EXPORT WIZARD with FINISH in the last window. You will receive a message stating that the import was successful.
The imported certificate can now be found in the MMC (Illus. 45). If necessary,
refresh the list with ACTION in the menu.
Illus. 45
Illus. 45
MMC of the server: imported server certificate in print service (spooler)
© ThinPrint GmbH 2015
To print with the new certificates, enable encryption per ThinPrint port in ThinPrint
Engine and enter the certificate names. On the client, add a registry key. This is
shown in the following two sections.
ssl_e.fm
Technical information
29
Configuring ThinPrint Engine
Configuring ThinPrint Engine
Encryption Settings
– For using the imported SSL certificates with the ThinPrint Engine open the Port
Manager in the MMC (Illus. 46) and select: THINPRINT→ THINPRINT ENGINE.
Then open the ThinPrint Engine’s context menu and select: ALL TASKS→
ENCRYPTION SETTINGS.
Illus. 46
Illus. 46
Selecting SSL certificates for the ThinPrint Engine
– Enter the names of server and root certificates under ENCRYPTION CERTIFICATES
(Illus. 47). Use the names that are displayed in the column ISSUED TO of the
MMC’s certificate overview (in Illus. 45 and Illus. 39 COMPANY ABC and COMPANY ABC-CA as examples).
Illus. 47
Illus. 47
Selecting imported SSL certificates (example)
– Fill in both fields and check that each certificate is installed on the server and
that the certificates installed on the clients are trusted by the server certificates.
Otherwise, the print jobs will not be executed.
© ThinPrint GmbH 2015
30
Technical information
ssl_e.fm
Configuring ThinPrint Client
Enabling encryption (per ThinPrint Port)
– To enable SSL encryption use the port configuration (Illus. 48).
Illus. 48
Illus. 48
MMC: Enabling encryption per ThinPrint port
Configuring ThinPrint Client
To print to a client machine with encryption, the client certificate has to be imported
on this machine and a registry key has to be set.
Before sending encrypted print data, the server checks whether the name of the
imported certificate is included in the CERTNAME entry in the client's registry and
whether the stored certificate is present on the client. The CertName key in the registry must be entered manually as follows:
1. After the certificate has been imported, create the following registry key on the
clients with REGEDIT (Illus. 49; data type: reg_sz):
© ThinPrint GmbH 2015
hkey_local_machine\software\thinprint\client\CertName
ssl_e.fm
Technical information
31
Appendix: Trouble shooting
Illus. 49
Illus. 49
Registry key for SSL encryption on Windows clients
(example for certificate Company ABC)
2. Enter as value the name of the imported certificate as displayed in the column
ISSUED TO of the MMC’s certificate overview (COMPANY ABC as example in
Illus. 22)
3. Restart ThinPrint Client Windows.
The CertName registry key is only needed for encrypting print data; receipt of unencrypted print data is still possible.
Note! If you saved your certificate in the certificate store of the machine (i.e.
machine-based) (see Page 18), you must set the CERTSTORE registry key to “1”
(see Illus. 49, arrow right). When using user-specific certificates, set it to “0”.
Appendix: Trouble shooting
The following is a table of possible error messages with information on correcting the
errors.
Solution
The Client has rejected the print
job...error in function No. 3.
Client is active and has been detected but
cannot print.
• Printer off / paper jam / no toner?
• Client certificate not found
Possible causes: Client certificate is not
signed by the correct root certificate;
certificate is not in the correct memory
(user/machine store) or does not have
the correct rights (Page 32), Typing
error in the encryption settings, or in
the registry (Illus. 47 or Illus. 49)
Technical information
ssl_e.fm
© ThinPrint GmbH 2015
32
Error message
© ThinPrint GmbH 2015
Appendix: Trouble shooting
ssl_e.fm
Error message
Solution
The client certificate cannot be
read or is incorrect.
The client certificate is present but cannot
be read. If necessary, request a new client
certificate.
Error while receiving data.
• With SSL encryption: You may be using
an older ThinPrint Client. Install the latest version.
• When printing via ICA/RDP: The connection may have been (briefly) lost.
Server or client certificate has not
been signed by the selected root
certificate.
• Server and client certificate must be
signed by the same root certificate.
Check the „Issued by“ column (Illus.
22 and 45) against the root certificate
(Illus. 39).
• No name was entered for a root certificate in the ThinPrint Engine configuration (Illus. 47).
• The certificate name (e.g., root) may
be too vague. In this case, another certificate with this string has been found
first in the certificate store, and its references are then incorrect.
Error while handshaking for
encrypted transfer.
Referring to the server certificate:
• Server certificate is invalid or has
expired.
• Perhaps the server certificate does not
contain a private key or the private key
was not imported during installation
(mark key as exportable).
• No name was entered in the ThinPrint
Engine encryption settings (see also
Illus. 47).
The server certificate validity
starts in the future.
The server certificate is not valid yet
• Synchronize date and time on all associated computers
• Depending on the system, a certificate
requested from the IIS first becomes
valid the day after it was issued. Validity can be checked in the certificate
manager (Illus. 45).
The server certificate name has
not been set.
No name was entered in the ThinPrint
Engine configuration (see Illus. 47).
Technical information
33
Appendix: Trouble shooting
Error message
Solution
Couldn’t find selected server certificate.
The name in the ThinPrint Engine configuration does not agree with the certificate
name (mistyped?) (see Illus. 47).
Couldn’t find selected root certificate.
The name in the ThinPrint Engine configuration does not agree with the certificate
name (mistyped?) (see Illus. 47).
The root certificate name has not
been set.
No name was entered in the ThinPrint
Engine configuration (see Illus. 47).
© ThinPrint GmbH 2015
34
Technical information
ssl_e.fm