If you want a secure connection between ThinPrint Engine and ThinPrint Client, you can encrypt print data.
This print data encryption is based on client authentication. When using encryption, two certificates are installed on the server where ThinPrint Engine is running, and a certificate signed by the server is installed on the client. More information is found in Encrypting of print data from remote desktops.
We recommend creating certificates with an individual certificate server or requesting them from an official source. Please note that the certificate must be a X.509 certificate (file format *.cer, *.pfx or *.p12). See the instruction Creating certificates for printing with ThinPrint.
Importing certificates
If the Use encryption option is enabled in the ThinPrint Port configuration on the server, a relevant certificate, which has been signed by the server, must be imported to the machines on which a ThinPrint Client is running.
Note! Client certificates have to be imported in the client machine’s certificate store. Either you import the certificates individually for each user (at My User Account) or one time per machine (at Computer account). Did you choose the Computer Account you have to assign permissions to the certificate afterwards, if the computer user(s) are not members of the Administrators group (see the instruction Creating certificates for printing with ThinPrint).
If the computer has its own certificate set the registry value CertStore to 1 (Additional Registry entries of ThinPrint Client Windows).
In case CertStore=1 shouldn’t work, either install the certificate for each user (and set CertStore back to 0) or download the Windows HTTP Services Certificate Configuration Tool from Microsoft’s website and run the following on the Command Prompt as admin and for each user:
WinHTTPCertCfg.exe -g -c LOCAL_MACHINE\MY -s -a
- To install a client certificate, open the Microsoft Management Console (MMC).
- Select either the following in MMC on the client PC per user:
File→ Add/ Remove Snap-In→ Add→ Certificates→ Add→ My User Account→ Finish→ OK
Or select for the machine:
File→ Add/ Remove Snap-In→ Add→ Certificates→ Computer Account→ Next→ Local Computer→ Finish→ OK
- Now import the certificate by selecting All Tasks→ Import in the Personal context menu, then Next→ Browse→ Next→ Password→ Next→ Place all certificates in the following store→ Next→ Finish→ OK
The following screenshots show the results of import: for Current User and for Local User.
Registry entry CertName
Before sending encrypted print data, the server checks whether the name of the imported certificate is included in the CertName entry in the client machine’s Registry and whether the stored certificate is present on the client. Enter the CertName entry in the Registry as follows:
- After the certificate has been imported, create the following Registry entry with data type reg_sz on the client machines:
hkey_local_machine\software\thinprint\client\CertName
- Enter as value the name of the imported certificate as displayed in the column Issued to of the MMC’s certificate overview (Company XY- Client as example).
- Restart ThinPrint Client Service Windows.
The CertName Registry entry is only needed for encrypting print data; receipt of unencrypted print data is still possible.