Distributing certificates

192 views 0

Certificates for various encryption tasks can be installed on the Hubs:

  1. from a workstation:
    accessing a Hub’s web console via https with an Internet browser
  2. from a Hub:
    IEEE 802.1x authentication for logging a Hub to other devices (typically in conjunction with a Radius server)
  3. from a ThinPrint Engine:
    sending print data to the ThinPrint Client of a Hub
  4. from a Hub (Release Station):
    authentication of users using a Release Station on the Personal Printing server via https

All certificates must first be uploaded to the NoTouch Center. Then they can be distributed to the Hubs.

Providing certificates

Encryption tasks

The following certificates are required for the encryption tasks described above:

  1. web server certificate for the Hub configuration console
    The name of the – individual – certificate must match the name or IP address of the respective Hub.
  2. certificate of a technical user
    The Hubs log on to the authentication server with this – global – certificate.
  3. certificate for the ThinPrint Client
    With this server certificate (!), the ThinPrint Client (of the Hub) authenticates itself to the ThinPrint Engine. The certificate can apply – globally – to all ThinPrint Clients or – individually – to the respective ThinPrint Hub.
  4. Issuer certificate for authentication at the Personal Printing server
    When the connection to the Personal Printing server is established via https, the Personal Printing server sends its web server certificate, which the Hub must check for validity with an associated issuer certificate. The issuer certificate can be a root or intermediate certificate of a certification authority.

You can either purchase the certificates described above from a certificate provider (such as thawte.com, digicert.com, letsencrypt.org or bundesdruckerei.de) or generate them yourself using a certification authority. Number 4 does not apply to the use of purchased certificates from such providers because the associated issuer certificates are then already available in the participating computers’ or Hubs’ operating system.

Tip: The web server certificates described in number 1 serve exclusively to connect to the web consoles of the Hubs via https. In order to avoid certificate error messages from the browser used, please note:

  • Add the host names or FQDNs of the Hubs to the Domain Name System – DNS – of your Active Directory.
  • To call the web console of a Hub, enter the hostname or FQDN in the address bar of the browser, e. g:
    https://TPHub-d2067e
  • With self-created certificates, first install the issuer certificate (root or intermediate certificate) of your certification authority on the workstation from which you want to open the web console of the Hubs.
  • When using Firefox, the issuer certificate (root or intermediate certificate) must usually also be imported in the browser itself as the certification authority and enabled for identifying web pages:

  • When using Chrome or a chrome-based browser (such as Brave, Opera or Vivaldi), the host name or FQDN must also be specified as Common name when creating the certificates:

  • If you use the hostname or FQDN, clicking the NoTouch Center’s  button (Device’s Web Interface) will display a certificate error message from your browser because the NoTouch Center connects to the Hub using its IP address, for example:
    https://192.168.149.61

Convert file formats if necessary

The NoTouch Center supports the following certificate file formats:

  • .pem for the certificate types mentioned in numbers 1 to 3
  • .crt for the certificate type mentioned in number 4

If your certificates are only in .pfx and .cer formats, you must convert them first. For this you can use OpenSSL (for Linux or Windows).

Example of converting a server certificate from .pfx to .pem (numbers 1 and 3) using OpenSSL for Windows:

pkcs12 -in D:\certificates\ReleaseStation-03.pfx -passin pass:12345 -out D:\certificates\ReleaseStation-03.pem -passout pass:12345 -nodes

Example of converting a technical user’s certificate from .pfx to .pem (number 2) using OpenSSL for Windows:

pkcs12 -in D:\certificates\HubService.pfx -passin pass:12345 -out D:\certificates\HubService.pem -passout pass:12345 -nodes

Example of converting a root certificate from .cer to .crt (number 4) using OpenSSL for Windows:

x509 -inform DER -in D:\certificates\certsrv05-CA.cer -out D:\certificates\certsrv05-CA.crt

Uploading the certificates

  • To upload certificates, select Resources→ Certificates.

  • Alternatively, you can use Manage→ Certificates.

1. Web server certificates of the Hubs

  • Change to the Assignable Certificates page (see the cursor).

  • Drag the web server certificates of the Hubs into the Drop Files Here field.
  • Click the Upload All button to upload the certificates to the NoTouch Center.

The Hub certificates then appear in the list of certificates that can be assigned to individual Hubs (Assignable Certificates).

2. Certificate of a technical user

  • Stay on or switch to the Global Certificates page (see the cursor).

  • Drag the technical user’s certificate for logging on to an authentication server into the Drop Files Here field.
  • Click the Upload All button to upload the certificate to the NoTouch Center.

The certificate of the technical user then appears in the list of certificates assigned to all Hubs (Global Certificates).

3. Server certificate of the ThinPrint Clients

  • Stay on or switch to the Global Certificates page (see the cursor).

  • Drag the ThinPrint Client’s certificate for receiving encrypted print jobs into the Drop Files Here field.
  • Click the Upload All button to upload the certificate to the NoTouch Center.

The ThinPrint Client certificate then appears in the list of certificates assigned to all Hubs (Global Certificates).

Alternatively, it is possible to assign each ThinPrint Client its own certificate. In this case, proceed as described in section 1. Web Server certificates of the Hubs above.

4. Issuer certificate for Personal Printing authentication

You only need this option if you want to use self-created certificates of your own certification authority for Personal Printing.

  • Stay on or switch to the Global Certificates page (see the cursor).

  • Drag the root or intermediate certificate of your certification authority into the Drop Files Here field.
  • Click the Upload All button to upload the certificate to the NoTouch Center.

The root or intermediate certificate then appears in the list of certificates assigned to all Hubs (Global Certificates).

Distributing the certificates to the Hubs

Global certificates

  • All global certificates (see Uploading the certificates above) are distributed to all assigned Hubs each time the Announce function is called or after the Management Announce Interval time is up. Only the Hubs in the Unassigned container are not affected.

Certificates that can be assigned to individual Hubs

  • All certificates uploaded as Assignable Certificates (see Uploading the certificates above) will only be distributed to Hubs if they have previously been assigned to a Hub or Group, here: TPHub-d2067e.pem and ThinPrint Client.pem.
  • Mark the desired Hub (here: TPHub-d2068e) or the Group Settings of its group and select the Certificates tab.
  • Use the drop-down menu to select the certificates and enable them by moving the corresponding switch to On. Confirm with the Save button.

  • These certificates are also distributed to all assigned Hubs each time the Announce function is called or after the Management Announce Interval time is up. Only the Hubs in the Unassigned container are not affected.

 

Previous Page
Next Page

Was this helpful?