Encrypting print data
for ThinPrint Client Windows

477 views 0

If you want a secure connection between ThinPrint Engine and ThinPrint Client, you can encrypt print data.

This print data encryption is based on client authentication. When using encryp­tion, two certificates are installed on the server where ThinPrint Engine is running, and a certificate signed by the server is installed on the client. More information is found in Encryption of print data.

We recommend creating certificates with an individual certificate server or requesting them from an official source. Please note that the certificate must be a X.509 certificate (file format *.cer, *.pfx or *.p12). See the instruction Creating certificates for printing with ThinPrint. 

Importing certificates

If the Use encryption option is enabled in the ThinPrint Port configuration on the server, a relevant certificate, which has been signed by the server, must be imported to the machines on which a ThinPrint Client is running.

Note! Client certificates have to be imported in the client machine’s certificate store. Either you import the certificates individually for each user (at My User Account) or one time per machine (at Computer account). Did you choose the Computer Account you have to assign permissions to the certificate after­wards, if the computer user(s) are not members of the Administrators group (see the instruction Creating certificates for printing with ThinPrint).

If the computer has its own certificate set the registry value CertStore to 1 (Addi­tional Registry entries of ThinPrint Client Windows).
In case CertStore=1 shouldn’t work, either install the certificate for each user (and set CertStore back to 0) or download the Windows HTTP Services Certificate Configuration Tool from Microsoft’s website and run the following on the Command Prompt as admin and for each user:
WinHTTPCertCfg.exe -g -c LOCAL_MACHINE\MY -s -a

Windows HTTP Services Certificate Configuration Tool: assigning the permis­sion for the installed certificate to a specific user

Windows HTTP Services Certificate Configuration Tool: assigning the permis­sion for the installed certificate to a specific user

  • To install a client certificate, open the Microsoft Management Console (MMC).
  • Select either the following in MMC on the client PC per user:

File→ Add/ Remove Snap-In→ Add→ Certificates→ Add→ My User Account→ Finish→ OK

Or select for the machine:

File→ Add/ Remove Snap-In→ Add→ Certificates→ Computer Account→ Next→ Local Computer→ Finish→ OK

  • Now import the certificate by selecting All TasksImport in the Personal context menu, then Next→ Browse→ Next→ Password→ Next→ Place all certificates in the following store→ Next→ Finish→ OK
Starting import of a certificate (example for My User Account or Current User)

Starting import of a certificate (example for My User Account or Current User)

The following Illus. show the results of import (for Current User and for Local User).

Certificate imported to a client machine (example for Current User/Per­sonal)

Certificate imported to a client machine (example for Current User/Per­sonal)

Certificate imported to a client machine (example for Local Computer/Per­sonal)

Certificate imported to a client machine (example for Local Computer/Per­sonal)

 

Registry entry CertName

Before sending encrypted print data, the server checks whether the name of the imported certificate is included in the CertName entry in the client machine’s Reg­istry and whether the stored certificate is present on the client. Enter the CertName entry in the Registry as follows:

  • After the certificate has been imported, create the following Registry entry with data type reg_sz on the client machines:

hkey_local_machine\software\thinprint\client\CertName

Registry entry for encryption on Windows clients (example for Company XY- Client certificate)

Registry entry for encryption on Windows clients (example for Company XY- Client certificate)

  • Enter as value the name of the imported certificate as displayed in the column Issued to of the MMC’s certificate overview (Company XY- Client as example).
  • Restart ThinPrint Client Service Windows.

The CertName Registry entry is only needed for encrypting print data; receipt of unencrypted print data is still possible.

Previous Page
Next Page

Was this helpful?