When a supported PKI smart card is inserted in a supported PKI smart card reader, PRISMAsync Print Server reads the card and starts the certificate authentication.
It depends on the PKI smart card configuration, if PRISMAsync Print Server checks the entered PIN or password.
A PKI smart card can store multiple smart card certificates and private keys. When there are multiple smart card certificate stored on the PKI smart card, the login window shows a drop-down list to select the user name.
The scheme below describes the verification steps of a PKI smart card during the login process.
Authentication of PKI smart cardsPRISMAsync Print Server only accepts PKI smart cards that are time-valid.
It depends on the PRISMAsync Print Sever PKI smart card configuration, if PRISMAsync Print Server checks the revocation status of the entire smart card certificate path. The revocation state of the root certificate is not checked.
PRISMAsync Print Server only accepts PKI smart cards for which the entire certificate path can be trusted.
PRISMAsync Print Server only accepts smart card certificates that are issued for PKI smart card usage.
It depends on the PRISMAsync Print Sever PKI smart card configuration, if PRISMAsync Print Server checks the entered PIN or password. When there are multiple users, the login window shows a drop-down list to select the user name. PRISMAsync Print Server only proceeds with the user authentication when the smart card PIN or password is correct.
When all verification steps are successful, the user authentication process starts.
A smart card certificate is issued by a Certification Authority (CA). This CA can be another (Intermediate) CA or a Root CA. The Root CA certificate is issued by the Root CA itself. The Root CA certificate is the end point of the certificate chain and establishes the point of trust. In this way the relationship between CAs is created.
The smart card certificate can be trusted if it has been verified by a trusted CA. PRISMAsync Print Server stores CA certificates in the list of trusted certificates.
The certificate chain determines how the verification of certificates in the chain takes place. PRISMAsync Print Server verifies the smart card certificate chain as soon as a user logs in with a smart card.
Example:
Authentication of PKI smart card certificatesPRISMAsync Print Server reads the issuer field of the smart card certificate and verifies if the issuer is in the list of trusted certificates. If the issuer is in the list, PRISMAsync Print Server uses the public key of the CA to verify the signature on the smart card certificate.
The CA certificate is issued by the Root CA. Thus, this CA certificate is an Intermediate certificate. Now PRISMAsync verifies if the Root CA is in the list. If the root CA is in the list, PRISMAsync Print Server uses the public key of the Root CA to verify the signature on CA certificate.
The Root CA certificate is issued by the Root CA itself. The signature on the Root CA certificate can be verified with the public key of the Root CA.
When all smart card CAs prove to be trusted, PRISMAsync Print Server considers the smart card certificate as trusted.
In general, PKI smart card users have an LDAP user account on an LDAP directory server. To support these user account, you configure a PRISMAsync domain and the required PRISMAsync domain user groups. The PKI smart card users, like the other domain users, get their access rights from the configured PRISMAsync domain user groups.
When a user inserts the PKI smart card, PRISMAsync Print Server reads the UPN (Universal Principal Name) from the smart card certificate. The UPN refers to the LDAP domain where the smart card user accounts are stored.
You can configure how PRISMAsync Print Server handles a UPN (Universal Principal Name) that refers to a LDAP domain that is not configured on PRISMAsync Print Server.
The PRISMAsync Print Server standard and configurable behaviour is explained in the scheme below.
User group configurationWhen the PKI smart card is valid PRISMAsync Print Server checks if the domain is known.
When the domain is known, PRISMAsync Print Server checks if the user account belongs to one or more PRISMAsync domain user groups.
The user is accepted, when one or more PRISMAsync domain user groups are found.
The user is not accepted, when no PRISMAsync domain user group is found.
When the domain is unknown, PRISMAsync Print Server checks the PKI smart card configuration.
The user is accepted, when the [Accept smart cards from all domains] check box is selected and a user group is selected in the [Group for smart cards from unknown domains] list.
Configure smart cardsPRISMAsync Print Server uses the user group access rights to check if the user can have access to the required options and tasks.