Creating SSL certificates for ThinPrint
Creating SSL certificates for printing with ThinPrint Technical Information ThinPrint GmbH Alt-Moabit 91 a 10559 Berlin Germany / Alemania Cortado, Inc. 7600 Grandview Avenue Suite 200 Denver, Colorado 80002 USA / EEUU Cortado Pty. Ltd. Level 20, The Zenith Centre, Tower A 821 Pacific Highway Chatswood, NSW 2067 Australia E-Mail: [email protected] Web: www.thinprint.com Issued: April 9, 2015 (v45) Notes © Copyright This document is the intellectual property of ThinPrint GmbH. This document may be copied in whole or in part, provided this Copyright notice is included in every copy. ® Registered trade marks All hardware and software names mentioned in this document are the registered trademarks of their respective companies or should be regarded as such. Safety warning All ThinPrint products are pure software solutions. Please note the safety warnings in the technical documentation from your hardware vendor and from the manufacturer of each device and component. Before beginning installation, we recommend closing all windows and applications and deactivating any virus scanner. © ThinPrint GmbH 2015 2 Technical information Contents General information about SSL encryption .................................................... 4 What certificate do I need? .............................................................................................. 4 Encrypted printing by exchanging certificates ..................................................................... 4 Where do I find suitable certificates? ................................................................................ 5 How do I create certificates? ............................................................................................ 6 What key length is safe? ................................................................................................. 6 Creating and installing certificates .................................................................... 7 1. Setting up a certification server and creating root certificate ............................................. 7 2. Client certificate request and issue ............................................................................. 12 3. Download and install client certificate ......................................................................... 15 Client certificate: user- or machine-based? .................................................................. 18 4. Exporting the root certificate ...................................................................................... 22 6. Distributing root certificate to servers .......................................................................... 24 7. Installing a server certificate ...................................................................................... 27 Configuring ThinPrint Engine ............................................................................ 30 Encryption Settings ....................................................................................................... 30 Enabling encryption (per ThinPrint Port) .......................................................................... 31 Configuring ThinPrint Client .............................................................................. 31 © ThinPrint GmbH 2015 Appendix: Trouble shooting ................................................................................ 32 Technical information 3 General information about SSL encryption General information about SSL encryption What certificate do I need? SSL/TLS1 encryption is available for printing with ThinPrint. This requires three various certificates: • A client certificate (per client machine) • A server certificate (per server) • A root certificate (per server) The client and server certificates are signed by the root certificate (or signer certificate). The client certificate is installed onto the machine2 on which ThinPrint Client is running. Server and root certificate are installed on the server on which ThinPrint Engine is installed. Encryption is set for each port. A certification authority is set up on the certification server and a root certificate is created. Then, client and server certificates can be requested from the certification server. The root certificate can likewise be obtained, either by download or imported and then distributed to all servers in a farm. You can set up your own certification server or purchase root certificates from an official root certification authority. Root certificates from recognized certificate authorities are in most cases already integrated in the operating system (see Illus. 39 on Page 26) and do not have to be created or imported. It is then only necessary to request client and server certificates from the relevant provider. Encrypted printing by exchanging certificates Print data is compressed and then encrypted and sent from the ThinPrint Engine to the ThinPrint Client – regardless of the protocol in use (TCP/IP or ICA/RDP). In other words, the data is encrypted independently of and in addition to a (ICA/RDP) virtual channel encryption. ThinPrint encrypts the individual print jobs, whereas terminal sessions encrypt the (ICA/RDP) channel. Encryption especially makes sense where data is sometimes sent via TCP/IP, as when using a central print server. With ThinPrint, data is encrypted by the server and decrypted by the ThinPrint Client. SSL encryption prevents • Third parties from spying • Print data from being sent to the wrong recipient 4 1 Secure Socket Layer/ Transport Layer Security 2 or SSL-capable print box (print server), see Page 12. Technical information ssl_e.fm © ThinPrint GmbH 2015 Print data should not be sent to the wrong client. That means that the client machine must prove that it is authorized to receive print data from the server. This is ensured by the client certificate, which is signed by the server's root certificate (signer certificate). The following illustration (Illus. 1) depicts the communication between server and client (called handshaking) that precedes the transmission of encrypted print data. General information about SSL encryption Please note that this is a simplified illustration of the communication; the main focus is the use of certificates. Illus. 1 Illus. 1 Server-client communication flow for sending encrypted print data (simplified illustration) The server notifies the client that an encrypted print job is waiting. The client answers and confirms whether it can accept encrypted data and which cryptographic algorithm it understands (e.g., TLS 1.0). The server then sends its server certificate and its own list of the algorithms it understands. The server certificate is only necessary for the so-called handshake, where client and server authenticate each other. In addition, the server demands the client certificate. The client sends its client certificate with the public key. The server checks whether the client certificate has been signed by the root certificate. The server now creates a session key. This is a temporary key that is created anew for each print job and loses its validity once the print data has been delivered. This key is composed of different, random numbers created by the client and server. The server encrypts this session key with the public key that it sent to the client. The client, in turn, can decode the session key using its private key (asymmetric encryption). The entire print data transmission is now encrypted with the new session key. This already begins with the announcement of a pending packet and the header information. Where do I find suitable certificates? There are three ways to get the right certificates: © ThinPrint GmbH 2015 1. Create the certificates yourself (described below). 2. Certificates from a certification authority. 3. Request your own certification authority. SSL certificates can be purchased from one of the recognized certificate authorities. For larger companies, it might be more economical to request your own (sub) certissl_e.fm Technical information 5 General information about SSL encryption fication authority so that additional certificates can be created and signed independently. We recommend the first option; namely, creating the certificates yourself. In addition to being less expensive, it is also safer, because a certificate that is already found in the browser's root directory could pose a security threat. Under the usual, current operating systems, this directory contains several dozen certificates by default. Before establishing a secure connection, the server first checks whether it has signed the client certificate. Because all clients that have received a certificate signed by this certification authority meet this criterion, an unauthorized client may also receive data from a foreign server. To do so, though, this client must also be configured to a port that sends encrypted print data. Rerouting print data to an incorrect client would also require server manipulation. For this reason, we recommend creating certificates yourself. How do I create certificates? SSL certificates are based on the X.509 norm. There are various tools that can be used to create them, such as Open SSL or the certificate services from Microsoft. Create both a root certificate and client certificate. The latter, usually available as a .pem or .der file (with OpenSSL), must be signed by the root certificate and then converted to .p12, .pfx, or .crt or other file format that is understood by Microsoft. Specify the encryption depth when creating the certificate). Next, create a server certificate the same way you created a client certificate. You then have three certificates – a server, a client, and a root certificate – whereby the client and server certificates both signed by the root certificate. The root certificate can be used for all of your servers. You should create a separate client and server certificate for each client and each server, however. The root certificate can be used for all of your servers. New client and server certificates must be created for each client and each server, though. What key length is safe? 6 Technical information ssl_e.fm © ThinPrint GmbH 2015 When you create certificates yourself or purchase them, the encryption depth influences the security. The longer the key, the more work it takes for unauthorized people to decode it. SSL encryption combines symmetric and asymmetric encryption methods, which require different key lengths. Symmetric means that sender and recipient both use the same key; with asymmetric encryption, they use different ones. The session key with which print data is encrypted is a symmetrical key. Here, a key length of 128-bit is considered safe. The session key is encrypted asymmetrically and sent with the print data. For this transmission, a length of 1024-bit is considered safe. This message is decoded with the client's private key, which was saved in the certificate store on the client machine when the certificate was created. Creating and installing certificates Creating and installing certificates Besides the method described here, you can also create certificates with Open SSL. Here, we will show you how to create certificates using the example of Windows server 2008 R23. Below are step-by-step instructions for setting up a certification server, creating a root certificate, and requesting client and server certificates from the certification server. You must have administrator permissions on the server. Certification server It is recommended to set up a certification server that is only responsible for certification and no other programs are running. The certification authority is set up on this server and the root certificate is created. The client and server certificates are requested and issued here. Once this operation (as in Illus. 4) is complete and all certificates have been distributed to the server and clients, the certification server can be turned off - until a new certificate is needed. The root certification authority on the certification server is computer- and domain-specific and cannot be stored on another computer. 1. Setting up a certification server and creating root certificate – On the certification server, go to START→ ADMINISTRATIVE TOOLS → SERVER MANAGER. Now select ROLES and then, on the Roles Summery, click ADD ROLES. Illus. 2 © ThinPrint GmbH 2015 Illus. 2 3 ssl_e.fm Select server roles: enabling AD CERTIFICATE SERVICES and WEB SERVER (IIS) For more detailed information about Microsoft Certificate Services, please also refer to the Microsoft documentation. Technical information 7 Creating and installing certificates – Select ACTIVE DIRECTORY CERTIFICATE SERVICES and WEB SERVER (IIS) (Illus. 2). Also select FILE SERVICES (IF IT’S NOT ALREADY INSTALLED). – The root certificate is computer-specific. For this reason, you receive a message informing you that changing the machine name or domain membership would invalidate the certificates issued from the CA. Confirm this message. Illus. 3 Illus. 3 Select role services for AD Certificate Service – You then have to select the Role Services that have to be installed for the Active Directory Certificate Services. Select CERTIFICATION AUTHORITY and CERTIFICATION AUTHORITY WEB ENROLLMENT (Illus. 3). Illus. 4 Add role services for WEB SERVER (IIS) – You will receive a message (Illus. 4), to add required Role Services (for the Certification Authority Web Enrollment). Click to confirm this action. 8 Technical information ssl_e.fm © ThinPrint GmbH 2015 Illus. 4 Creating and installing certificates Illus. 5 Illus. 5 Specify CA type: selecting ROOT CA – In the next window, setup type of Certification Authority. Select STAND-ALONE and click NEXT. – In the following window (Illus. 5), specify the type of certificate. Select ROOT CA and click NEXT. In the following dialog select CREATE A NEW PRIVATE KEY AND CLICK NEXT. © ThinPrint GmbH 2015 Illus. 6 Illus. 6 ssl_e.fm Configure cryptography for CA Technical information 9 Creating and installing certificates – Then configure the Cryptography for the new, private Key. – Select a cryptographic service provider, the key character length and the hash algorithm. Retain the default settings, as required (Illus. 6). Illus. 7 Illus. 7 Configure CA name – Then give the Certification Authority a common name (Illus. 7). In the following dialog you can specify the length of its validity; for example, five years, and click NEXT. Illus. 8 10 © ThinPrint GmbH 2015 Illus. 8 Configure certificate database Technical information ssl_e.fm Creating and installing certificates – You will be prompted to specify a location for saying the data. You can accept the preset path and simply click NEXT (ILLUS. 10). – Now Web Server (IIS) is added as Role, confirmed with NEXT. Retain the default Role Services in the next dialog (Illus. 9) and then click NEXT. Illus. 9 Illus. 9 Role WEB SERVER (IIS): Selected role services In the last dialog: CONFIRM INSTALLATION SELECTION you will be informed that the server must be restarted after installation and that the computer name and domain settings can not be changed. Click on INSTALL to start the process. You have now installed a root certification authority (or CA/certification authority) on your server. That means that the root certificate can now sign and issue client and server certificates. Illus. 10 © ThinPrint GmbH 2015 Illus. 10 Certification authority on the server The certification authority that you set up in the first step can be found under START → ADMINISTRATIVE TOOLS→ CERTIFICATION AUTHORITY (Illus. 10). You will see the newly created root certificate, which can be downloaded and then distributed to all servers. ssl_e.fm Technical information 11 Creating and installing certificates 2. Client certificate request and issue The next step is to create client certificates. These are requested from the client by the certification authority (certification server), signed by the newly created root certificate, and authorized by the server. Request client certificate Below, you will find a description in which a client certificate is issued by the certificate server and then exported to a client computer. – On the client machine, start an internet browser (Internet Explorer) and open the server's website. After the server IP address or host name, enter „/CERTSRV“, for example, HTTP://LOCALHOST/CERTSRV. If you cannot open the website, check that the Role Web Server (IIS) is running on the server4. Illus. 11 Illus. 11 Certificates server website: request a certificate – Once the website is open, request the client certificate by selecting REQUEST A CERTIFICATE (Illus. 11). 12 If the website cannot be reached, correct possible error sources: Check on the server, if under AD Certificate Services the ROLE SERVICES: CERTIFICATION AUTHORITY AND CERTIFICATION AUTHORITY WEB ENROLLMENT are enabled (Illus. 3). Synchronize date and time on all associated computers. Stop any other services running on port 80. Technical information ssl_e.fm © ThinPrint GmbH 2015 4 Creating and installing certificates Illus. 12 Illus. 12 Certificates server website: choose request type – You will be prompted to specify the type of certificate. Select, for example, WEB BROWSER CERTIFICATE. The certificate type is irrelevant here, because ThinPrint Engine does not check whether the certificate meets certain conditions; it checks whether the certificate has been signed by the root certificate. Illus. 13 Illus. 13 Certificates server website: click more options © ThinPrint GmbH 2015 – The IDENTIFYING INFORMATIONS page appears. Click button MORE OPTIONS (Illus. 13) at the bottom and then the USE THE ADVANCED CERTIFICATE REQUEST 5 FORM link. Scroll down to the following page (Illus. 14): 5 ssl_e.fm If the above link is not enabled, change the security settings in your browser (enable scripting, set website as trusted site, activate Active X Control under TOOLS→ INTERNET OPTIONS→ SECURITY→ CUSTOM LEVEL...). Technical information 13 Creating and installing certificates Illus. 14 Illus. 14 Certification server website: mark keys as exportable – Fill in the text boxes at the top. Accept all of the default settings below except for one. It is important to place a checkmark by MARK KEYS AS EXPORTABLE, as in Illus. 14. Confirm your input by clicking SUBMIT at the very bottom of the page.You receive a message stating that you should only allow trustworthy websites to request a certificate and will be asked whether you want to request a certificate. Confirm with YES. Illus. 15 Illus. 15 Certification server website: certificate successfully requested You will receive a message confirming that the certificate request was successful (Illus. 15). You do not have to wait ten days; you only have to wait until the certification server administrator has issued the certificates (Page 15). Gateway Appliance as Client Technical information ssl_e.fm © ThinPrint GmbH 2015 14 As well as on Windows PCs, encrypted printing is also possible on ThinPrint Gateway appliances that are equipped with an integrated ThinPrint Client and therefore capable of decoding print jobs. This is the case with, for example, the TPG-25/65/125 and ISD300/4x0 appliances from SEH. Here, the client certificate is requested from the appliances website. For information on how to do so, please refer to the technical documentation SEH TPG as a ThinPrint Client Gateway or to SEH ISD as a ThinPrint Client Gateway. Creating and installing certificates Issue client certificate – In order to issue the newly requested client certificate, click START→ ADMINISTRATIVE TOOLS on the certification server to open the folder CERTIFICATION AUTHORITY. Under PENDING REQUESTS, you will find the certificate requests (arrow in Illus. 16). – Choose the certificate and right click to select ALL TASKS→ ISSUE (ILLUS. 16). You have now created the client certificate and signed it with the server's root certificate. Illus. 16 Illus. 16 Server certification authority: issue certificate in Folder PENDING REQUESTS Illus. 17 Server certification authority: issued certificate in ISSUED CERTIFICATES FOLDER Illus. 17 – The client certificate disappears from the PENDING REQUESTS folder and is now found under ISSUED CERTIFICATES (arrow in Illus. 17). 3. Download and install client certificate © ThinPrint GmbH 2015 You can now get the certificate issued by the root certification authority from the certification server's website. ssl_e.fm Technical information 15 Creating and installing certificates – Open the same browser with which you submitted the certificate request (Illus. 11) and enter the server website again (example: HTTP://LOCALHOST/CERTSRV). Illus. 18 Illus. 18 Server website: view status of pending certificate – This time, select: VIEW THE STATUS OF A PENDING CERTIFICATE REQUEST on the website (Illus. 18). Illus. 19 Illus. 19 Server website: select issued certificate – You will be given a list of certificates that have been issued by the server (Illus. 19). Select your certificate. Illus. 20 Illus. 20 Server website: install issued certificate 16 Technical information ssl_e.fm © ThinPrint GmbH 2015 – You will receive a message confirming that the certificate was issued. Install this certificate onto the client machine by clicking the link in the message (Illus. 20). A security warning appears, asking whether you trust this website. Confirm with YES. Creating and installing certificates Illus. 21 Illus. 21 Server website: certificate successfully installed – You will receive a message confirming that the certificate was installed successfully (Illus. 21). You can now close the browser. The certificate is valid for one year. – You can find the client certificate in the MMC if you add CERTIFICATES→ CUR6 RENT USER as Snap-in. Select CERTIFICATES→ CURRENT USER→ PERSONAL→ CERTIFICATES (Illus. 22). Illus. 22 Illus. 22 MMC of the client: find client certificate – Double click the certificate (Illus. 22) to open it (Illus. 23). Here you can see that the purpose of the certificates is authentication at the server. It is important that there is a private key for this certificate. © ThinPrint GmbH 2015 Illus. 23 Illus. 23 6 ssl_e.fm Certificate for which there is a private key For machine-based certificates, see Page 18. Technical information 17 Creating and installing certificates Client certificate: user- or machine-based? Before you import the client certificate to a client machine (see Illus. 22 on Page 17) you must decide whether you wish to save your certificate as user- or machine-based. • User-based: If only one person uses the machine, import the certificate to the user storage: CERTIFICATES- CURRENT USER→ PERSONAL. This means the client certificate is bound to the current user and is located in their certificate storage (see Illus. 24, above). • Machine-based: If several people use one machine (or, if in addition to a user account, there is an administrator account) you can save the certificate machine-specific in the container CERTIFICATES→ COMPUTER ACCOUNT→ LOCAL COMPUTER (see ILLUS. 24, down). One certificate per client machine is sufficient for all users who share this machine. Note! If you save your certificate as machine-specific (at CERTIFICATES→ COMPUTER ACCOUNT→ LOCAL COMPUTER) you must then issue rights of use for encryption on the client machine (see the paragraph Assigning rights to use encryption on client machines, PAGE 21) and set the CERTSTORE registry key to “1” (ILLUS. 49, Arrow right). Illus. 24 Illus. 24 In the following example, the certificate is saved as machine-based. Then, you can see at what point user rights have to be issued. – Open the MMC on your client machine and select the snap-in CERTIFICATES→ COMPUTER ACCOUNT→ LOCAL COMPUTER. 18 Technical information ssl_e.fm © ThinPrint GmbH 2015 Use machine-based client certificate MMC of the client: save certificate as user- or machine-based Creating and installing certificates Illus. 25 Illus. 25 MMC of the client: import client certificate – In the store under CERTIFICATES - LOCAL COMPUTER, mark the PERSONAL\CERTIFICATE folder and select ALL TASKS→ IMPORT from the context menu (Illus. 25). The CERTIFICATE IMPORT WIZARD opens. Illus. 26 Illus. 26 Importing a certificate: entering source file © ThinPrint GmbH 2015 – Enter the path to the exported .pfx file and click NEXT (ILLUS. 26). ssl_e.fm Technical information 19 Creating and installing certificates Illus. 27 Illus. 27 Importing a certificate: entering password – Because the private key is password protected, you need to enter the password (see Illus. 27). Next, mark the private key as exportable (place a checkmark) if the certificate may be installed later on another machine (Illus. 27). Illus. 28 Illus. 28 Importing a certificate: selecting certificate store – In the second option, the path to the certificate store to which the certificate is to be imported is already entered (PERSONAL). Confirm with NEXT (ILLUS. 28). Close the CERTIFICATE EXPORT WIZARD with FINISH in the last window. You will receive a message stating that the import was successful. The imported certificate can now be found in the MMC (Illus. 29). If necessary, refresh the list with ACTION in the menu. © ThinPrint GmbH 2015 20 Technical information ssl_e.fm Creating and installing certificates Illus. 29 Illus. 29 Assigning rights to use encryption on client machines MMC on the client: imported client certificate If you have bound your client certificate to the computer (as described in the previous step), and thus imported it to the node CERTIFICATES (LOCAL COMPUTER), you can now assign rights for the individual users of the workstation. – In the context menu of the imported certificate, select ALL TASKS→ MANAGE PRIVATE KEYS... (Illus. 30). Illus. 30 Illus. 30 Client certificate in the memory of the client computer (machine store) © ThinPrint GmbH 2015 This takes you to the rights of the client certificate: ssl_e.fm Technical information 21 Creating and installing certificates Illus. 31 Illus. 31 Setting the rights of the client certificate: adding users – Using the ADD... button, add the users or user groups who shall print with ThinPrint encryption and give each of them reading rights at the very least (Illus. 31). To print with encryption, after you have imported the client certificate onto the client machine, you will also need to make a registry entry. You can read how to do that under Configuring ThinPrint Client on Page 31. 4. Exporting the root certificate The certification server's root certificate is installed on all servers that will send print data encrypted with ThinPrint Engine to a ThinPrint Client. The root certificate can be downloaded from the certification server and its file distributed to all other servers. On one of the servers that need the certificate, open the browser and enter the certification server's website with the extension /CERTSRV (like when requesting the client certificate, Illus. 11). This time, select: DOWNLOAD A CA CERTIFICATE, CERTIFICATE CHAIN, OR CRL. Alternatively, you can export and store the root certificate, then import it on all servers. This is described in the following. – Open the MMC on the certification server. Locate the root certificate in the store CONSOLE ROOT→ CERTIFICATES- CURRENT USER→ TRUSTED ROOT CERTIFICATION AUTHORITIES→ CERTIFICATES. In the context menu, click on ALL TASKS→ EXPORT... (Illus. 32). © ThinPrint GmbH 2015 22 Technical information ssl_e.fm Creating and installing certificates Illus. 32 Illus. 32 Certification server: EXPORT root certificate – Then select a format for the exported certificate. The file then has the extension .cer. That means that the certificate contains a public key, there is no private one for it. Then click on NEXT (Illus. 33). Illus. 33 Certificate export wizard: select file format © ThinPrint GmbH 2015 Illus. 33 ssl_e.fm Technical information 23 Creating and installing certificates – Enter a file name that is neither too short nor too general7; Save the file centrally, so that you can access it from your (print) servers for encrypted printing (Illus. 34). Illus. 34 Illus. 34 Certificate export wizard: select file name – In the following dialog, click FINISH. – The root certificate is the same for all servers in a farm and can also be distributed by script. 6. Distributing root certificate to servers Importing root certificate on server Now you need to import your root certificate onto a server that you want to use for encrypted printing. Illus. 35 Illus. 35 24 In the Microsoft certificate services, the first certificate is selected that contains the given string sequence. With names like certificate or root, a certificate other than the desired certificate could be selected, which will create an error message during printing. Technical information ssl_e.fm © ThinPrint GmbH 2015 7 Server: import root certificate Creating and installing certificates – Open the MMC on the server. In the container CONSOLE ROOT→ CERTIFICATES (LOCAL COMPUTER)→ TRUSTED ROOT CERTIFICATES→ CERTIFICATES, select: ALL TASKS→ IMPORT from the context menu (Illus. 35). Illus. 36 Illus. 36 CERTIFICATE IMPORT WIZARD:installation of the imported root certificate – The CERTIFICATE IMPORT WIZARD opens. Click the button BROWSE and then select your recently exported root certificate (Illus. 36). Illus. 37I © ThinPrint GmbH 2015 Illus. 37 CERTIFICATE IMPORT WIZARD: select certificate store – Select the option PLACE ALL CERTIFICATES IN THE FOLLOWING STORE and click on the BROWSE button (Illus. 37). ssl_e.fm Technical information 25 Creating and installing certificates – In the next window, select the location where the root certificate is to be stored. Enable SHOW PHYSICAL STORES, select TRUSTED ROOT CERTIFICATION AUTHORITIES and then Container LOCAL COMPUTER (Illus. 38): Illus. 38I Illus. 38 Select certificate store: TRUSTED ROOT CERTIFICATION AUTHORITIES, LOCAL COMPUTERS – If the correct path is shown in Illus. 37, click NEXT and then, in the next window, FINISH. You will get the message: THE IMPORT WAS SUCCESSFUL. – The imported certificate is found in the MMC under the snap-in CERTIFICATES (LOCAL COMPUTER)→ TRUSTED ROOT CERTIFICATES. If this snap-in is not available, add it. To do so, open the MMC from the command prompt and select: CONSOLE→ ADD/ REMOVE SNAP-IN→ ADD→ CERTIFICATES→ ADD→ COMPUTER ACCOUNT→ FINISH→ CLOSE. If you cannot find the certificate, mark the CERTIFICATES folder (as in Illus. 39) and select ACTION→ REFRESH from the menu list. Illus. 39 Illus. 39 MMC of the server: root certificate under CERTIFICATES (LOCAL COMPUTER), TRUSTED ROOT CERTIFICATION AUTHORITIES © ThinPrint GmbH 2015 26 Technical information ssl_e.fm Creating and installing certificates – Double click the certificate to view it (Illus. 40). Illus. 40 Illus. 40 Root certificate of an own certification authority 7. Installing a server certificate The server certificate request is sent from the server via a website to the certification server. This functions exactly the same as requesting a client certificate (see 2. Client certificate request and issue, Page 12. To print with encryption with the server certificate, it must be imported into the correct print spooler in the MMC. Importing a server certificate to the print service – To save the .pfx file in the correct store, open the MMC and select the snap-in CERTIFICATES - SERVICE (PRINT SPOOLER). If this snap-in is not available, add it. To do so, open the MMC from the command prompt and select: CONSOLE→ ADD/REMOVE SNAP-IN→ ADD→ CERTIFICATE→ ADD→ SERVICE ACCOUNT→ NEXT→ LOCAL COMPUTER→ PRINT SPOOLER→ FINISH→ CLOSE. © ThinPrint GmbH 2015 Illus. 41 Illus. 41 ssl_e.fm MMC of the server: import a server certificate Technical information 27 Creating and installing certificates – In the store under CERTIFICATES - SERVICE (PRINT SPOOLER), mark the SPOOLER\PERSONAL folder and select ALL TASKS→ IMPORT from the context menu (Illus. 41). The CERTIFICATE IMPORT WIZARD opens (Illus. 42). Illus. 42 Illus. 42 Importing a certificate: entering source file Enter the path to the exported .pfx file (see section 4, Page 22) and click NEXT (ILLUS. 42). Illus. 43 Illus. 43 Importing a certificate: entering password © ThinPrint GmbH 2015 28 Technical information ssl_e.fm Creating and installing certificates – Because the private key is password protected, you need to enter the password (see Illus. 27). Next, mark the private key as exportable (place a checkmark) if the certificate is to be exported later on (Illus. 43). Illus. 44 Illus. 44 Importing a certificate: selecting certificate store – In the second option, the path to the certificate store to which the certificate is to be imported is already entered (SPOOLER\PERSONAL). Confirm with NEXT (ILLUS. 44). Close the CERTIFICATE EXPORT WIZARD with FINISH in the last window. You will receive a message stating that the import was successful. The imported certificate can now be found in the MMC (Illus. 45). If necessary, refresh the list with ACTION in the menu. Illus. 45 Illus. 45 MMC of the server: imported server certificate in print service (spooler) © ThinPrint GmbH 2015 To print with the new certificates, enable encryption per ThinPrint port in ThinPrint Engine and enter the certificate names. On the client, add a registry key. This is shown in the following two sections. ssl_e.fm Technical information 29 Configuring ThinPrint Engine Configuring ThinPrint Engine Encryption Settings – For using the imported SSL certificates with the ThinPrint Engine open the Port Manager in the MMC (Illus. 46) and select: THINPRINT→ THINPRINT ENGINE. Then open the ThinPrint Engine’s context menu and select: ALL TASKS→ ENCRYPTION SETTINGS. Illus. 46 Illus. 46 Selecting SSL certificates for the ThinPrint Engine – Enter the names of server and root certificates under ENCRYPTION CERTIFICATES (Illus. 47). Use the names that are displayed in the column ISSUED TO of the MMC’s certificate overview (in Illus. 45 and Illus. 39 COMPANY ABC and COMPANY ABC-CA as examples). Illus. 47 Illus. 47 Selecting imported SSL certificates (example) – Fill in both fields and check that each certificate is installed on the server and that the certificates installed on the clients are trusted by the server certificates. Otherwise, the print jobs will not be executed. © ThinPrint GmbH 2015 30 Technical information ssl_e.fm Configuring ThinPrint Client Enabling encryption (per ThinPrint Port) – To enable SSL encryption use the port configuration (Illus. 48). Illus. 48 Illus. 48 MMC: Enabling encryption per ThinPrint port Configuring ThinPrint Client To print to a client machine with encryption, the client certificate has to be imported on this machine and a registry key has to be set. Before sending encrypted print data, the server checks whether the name of the imported certificate is included in the CERTNAME entry in the client's registry and whether the stored certificate is present on the client. The CertName key in the registry must be entered manually as follows: 1. After the certificate has been imported, create the following registry key on the clients with REGEDIT (Illus. 49; data type: reg_sz): © ThinPrint GmbH 2015 hkey_local_machine\software\thinprint\client\CertName ssl_e.fm Technical information 31 Appendix: Trouble shooting Illus. 49 Illus. 49 Registry key for SSL encryption on Windows clients (example for certificate Company ABC) 2. Enter as value the name of the imported certificate as displayed in the column ISSUED TO of the MMC’s certificate overview (COMPANY ABC as example in Illus. 22) 3. Restart ThinPrint Client Windows. The CertName registry key is only needed for encrypting print data; receipt of unencrypted print data is still possible. Note! If you saved your certificate in the certificate store of the machine (i.e. machine-based) (see Page 18), you must set the CERTSTORE registry key to “1” (see Illus. 49, arrow right). When using user-specific certificates, set it to “0”. Appendix: Trouble shooting The following is a table of possible error messages with information on correcting the errors. Solution The Client has rejected the print job...error in function No. 3. Client is active and has been detected but cannot print. • Printer off / paper jam / no toner? • Client certificate not found Possible causes: Client certificate is not signed by the correct root certificate; certificate is not in the correct memory (user/machine store) or does not have the correct rights (Page 32), Typing error in the encryption settings, or in the registry (Illus. 47 or Illus. 49) Technical information ssl_e.fm © ThinPrint GmbH 2015 32 Error message © ThinPrint GmbH 2015 Appendix: Trouble shooting ssl_e.fm Error message Solution The client certificate cannot be read or is incorrect. The client certificate is present but cannot be read. If necessary, request a new client certificate. Error while receiving data. • With SSL encryption: You may be using an older ThinPrint Client. Install the latest version. • When printing via ICA/RDP: The connection may have been (briefly) lost. Server or client certificate has not been signed by the selected root certificate. • Server and client certificate must be signed by the same root certificate. Check the „Issued by“ column (Illus. 22 and 45) against the root certificate (Illus. 39). • No name was entered for a root certificate in the ThinPrint Engine configuration (Illus. 47). • The certificate name (e.g., root) may be too vague. In this case, another certificate with this string has been found first in the certificate store, and its references are then incorrect. Error while handshaking for encrypted transfer. Referring to the server certificate: • Server certificate is invalid or has expired. • Perhaps the server certificate does not contain a private key or the private key was not imported during installation (mark key as exportable). • No name was entered in the ThinPrint Engine encryption settings (see also Illus. 47). The server certificate validity starts in the future. The server certificate is not valid yet • Synchronize date and time on all associated computers • Depending on the system, a certificate requested from the IIS first becomes valid the day after it was issued. Validity can be checked in the certificate manager (Illus. 45). The server certificate name has not been set. No name was entered in the ThinPrint Engine configuration (see Illus. 47). Technical information 33 Appendix: Trouble shooting Error message Solution Couldn’t find selected server certificate. The name in the ThinPrint Engine configuration does not agree with the certificate name (mistyped?) (see Illus. 47). Couldn’t find selected root certificate. The name in the ThinPrint Engine configuration does not agree with the certificate name (mistyped?) (see Illus. 47). The root certificate name has not been set. No name was entered in the ThinPrint Engine configuration (see Illus. 47). © ThinPrint GmbH 2015 34 Technical information ssl_e.fm
© Copyright 2024