Selecting certificate of Terminal Server

Overview

By default, Terminal Server uses the pre-installed certificate distributed with YSoft SafeQ to provide secure communication between Terminal Server and MFDs. This certificate together with corresponding CA certificate can be found in <SafeQ_dir>\terminalserver\Certificates. Terminal Server can be configured to use external certificates provided by Windows Certificate Store or file system.

Certificate of your CA must be uploaded to MFD (following the vendor's guide). Otherwise MFD might reject certificate and users will be unable to login.

Setting Terminal Server certificate

The certificates can be stored as a file on local or network disc, or can be selected from Windows Certificate Store.

In case you have a wildcard certificate, the options can be configured globally for all the Terminal Servers in the YSoft SafeQ 5 environment web interface. Go to System > System settings (Expert mode) and set dsCertificateSource to one of the following options:

  • Default - default certificate provided with SafeQ

  • WindowsCertStore - finds certificate in Windows Certificate Store

  • FileSystem - tries to find certificate on local or network disc

All the options are case-insensitive. If certificate is not found in certificate store, in the file system or if an error occurs during initialization of certificate, the default one is used. If loaded certificate is not valid, warning message appears in Terminal Server's log file stating that different certificate should be used.

 

If you have a set of certificates issued for specific servers, the local setting of the certificate source is more appropriate. On each machine running SafeQ 5 server, this option can be specified in Terminal Server's configuration file TerminalServer.exe.config, which can be found in directory <SafeQ_dir>\terminalserver\. To change source of certificates, add or modify configuration option dsCertificateSource located in appSettings section in the same way as described above.

<add key="dsCertificateSource" value="windowscertstore" />

Detailed explanation of each of the configuration options follows.

Default certificate

If this option is selected, the default certificate provided with YSoft SafeQ is used for secure communication. This certificate is stored in file <SafeQ_dir>\terminalserver\Certificates\SafeQ DS Web Server.pfx. The default certificate is automatically installed into Windows Certificate Store specified by configuration option dsCertificateStore.

Windows Certificate Store

In case you do not have your certificate in Windows Certificate Store yet, follow the instructions in section How to install a certificate into Windows Certificate Store .

If the Windows Certificate Store is selected as the certificate source, the certificate store name and certificate identifier must be specified by following options:

Certificate Store

The store where Terminal Server searches for the certificate is provided via configuration option dsCertificateStore with following options:

  • Root - Trusted Root Certification Authorities 

  • My - Personal (default value)

  • TrustedPublisher - Trusted Publishers

  • TrustedPeople - Trusted People

  • AuthRoot - Third-Party Root Certification Authorities

This configuration option is case-insensitive and must be always provided, otherwise default store Root is selected. By default, Windows uses the Personal folder for storage of certificates with their private keys.

Certificate identifier

Configuration option dsCertificateStoreIdentifier (Expert mode in System > System settings) is used for specification of certificate in selected certificate store. There are two options how the certificate can be identified: 

a) The certificate in store can be specified by its name (column "Issued To"), which can be found in mmc tool (see How to access Windows Certificate Store).

images/download/attachments/15860293/certificate-name.JPG

b) Another option is to specify the certificate by its unique thumbprint, which can be obtained by double-clicking the certificate and browsing Details tab for thumbprint. Remove spaces and make sure there are no invisible characters when copying the value from the window (it adds an invisible character at the beginning!).

images/download/attachments/15860293/certificate-thumbprint.JPG

 

For the case each certificate is issued for a specific machine running SafeQ 5 server, all the above options can be also specified locally on each machine in the Terminal Server's configuration file TerminalServer.exe.config which can be found in directory <SafeQ_dir>\terminalserver. To change the options, add or modify the configuration options located in appSettings section the same way as described above.

<add key="dsCertificateSource" value="windowscertstore" />
<add key="dsCertificateStore" value="my" />
<add key="dsCertificateStoreIdentifier" value="SafeQ DS Web Server" />

File system

If this option is selected, Terminal Server loads certificate from filesystem. The certificate is automatically installed into Windows Certificate Store specified by configuration option dsCertificateStore (described in the previous section).

It is not recommended to use File system certificate location until necessary, since your certificate file must not be protected by a password. If possible, install the certificate in the machine with Terminal Server (follow steps in How to install a certificate into Windows Certificate Store) and use Windows Certificate Store as the certificate source.

To specify location of file on local disc or network storage, configuration option dsCertificateFileSource must be provided. A full path to the certificate file needs to be specified, e.g. C:\Certificates\DS-certificate.pfx or \\10.0.0.99\Certificates, since also network locations can be used.

Again, this option can be also set in Terminal Server's configuration file TerminalServer.exe.config which can be found in directory <SafeQ_dir>\terminalserver. To change the options, add or modify the configuration options located in appSettings section the same way as described above.

<add key="dsCertificateSource" value="filesystem" />
<add key="dsCertificateFileSource" value="C:\Certificates" />

The only type of file certificate which is now supported by Terminal Server is Personal Information Exchange, the .pfx file.

Checking the correct certificate binding

After you configure usage of your keys/certificates and restart YSoft SafeQ Terminal Server service, you should check if Terminal Server is functional and your certificate was correctly bound. The easiest way is to connect to this machine using browser:

  1. Open https://<terminal_server_IP>:port in browser, where port is one of the ports opened for secure connection to the Terminal Server, e.g. 5022.

  2. Click on the lock in address bar and then View certificate button.

How to install a certificate into Windows Certificate Store

Command line tool

The easiest way to import your key/certificates in Personal Information Exchange format (.pfx file) into Windows Certificate Store is using the certutil.exe tool, provided by default with Windows OS.

This command will import all the certificates in your file into the appropriate stores, i.e. the end certificate with corresponding private key (intended for the Terminal Server) to the Personal folder, intermediate authorities to Intermediate Certification Authorities folder and root authority to the Trusted Root Certification Authorities.

In Windows Server 2012 use the following command:

certutil.exe -importpfx "My" "yourcertificatefile.pfx"

In the Windows Server 2008 use the following command:

certutil.exe -importpfx "yourcertificatefile.pfx"

Certificate Import Wizard

Another option is the Certificate Import Wizard. The following steps will guide you through the installation of your key/certificate in Personal Information Exchange format (.pfx file) to the Windows Certificate Store using this.

1

Open Windows Certificate Store as described in the How to access Windows Certificate Store section.

2

Right-click on any of the folders inside WCS and select All Tasks > Import.

3

Browse to certificate you want to install and mark the certificate as exportable.

When installing the certificate into Windows Certificate Store, it must be marked as exportable, otherwise Terminal server will not be able to use it. The certificate must be also provided with the corresponding private key.

images/download/attachments/15860293/install-certificate.JPG

4

You can now choose the required store or select "Automatically select the certificate store based on the type of certificate" option to import all the certificates in your file into the appropriate stores. The end certificate with corresponding private key (intended for the Terminal Server) is then installed into the Personal folder.

images/download/attachments/21955729/Wizard_Auto.png

How to access Windows Certificate Store

Even if certificate is loaded from disc, it must be installed into Windows Certificate Store in order to be used with Terminal Server. Therefore, to verify required functionality or manually upload the certificate, we should access Windows Certificate Store from system.

To open Windows Certificate Store follow these steps:

1

First run mmc.exe from start menu or run window.

 images/download/attachments/15860293/mmc-start.JPG

2

Select File > Add/Remove Snap in

 

images/download/attachments/15860293/1-mmc-add_remove.JPG

3

Select Certificates and click Add.

 

images/download/attachments/15860293/2-mmc-add.JPG

4

Select Computer Account and click Next.

images/download/attachments/15860293/3-mmc-select_computer.JPG

5

Then select Local computer and click Finish.images/download/attachments/15860293/4-mmc-local_computer.JPG

6

Now the certificates snap-in is added and the certificate store can be browsed.

images/download/attachments/15860293/5-mmc-finnish.JPG