Advanced customization

Extended keytool.exe usage

This documentation provides the more common scenarios around keytool.exe usage. If you require further customization, review the documentation available from Oracle:

  1. PaperCut MF version 15.2 and newer: Java 8 (1.8) keytool Documentation

  2. PaperCut MF version 14.0 and newer: Java 7 (1.7) keytool Documentation

  3. PaperCut MF version 13.5 and older: Java 6 (1.6) keytool Documentation

Can I have more than one hostname / FQDN?

One of the benefits of using an SSL certificateSSL certificates are small data files that digitally bind a cryptographic key to an organization’s details, such as a company's domain name, your company name, your address, your city, your state and your country. When installed on a web server, it activates the padlock and the HTTPS protocol (over port 443) and allows secure connections from a web server to a browser. When a browser connects to a secure site it retrieves the site's SSL certificate and checks that it has not expired, it has been issued by a Certification Authority the browser trusts, and that it is being used by the website for which it has been issued. If it fails on any one of these checks the browser will display a warning to the end user letting them know that the site is not secured by SSL. SSL certificates can be either self-signed or CA signed. is making sure that the URL matches the certificate, preventing a 3rd party from masquerading as you. If you have more than one URL or Fully Qualified Domain Name (FQDN) that PaperCut MF is available from, then you have two main options:

  1. Obtain a "wildcard" certificate from your Certificate Authority. Contact your Certificate Authority for further details as to this service.

  2. Use a "Subject Alternative Name" or "SAN" when creating the SSLSecure Sockets Layer (SSL) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. The protocol uses a third party, a Certificate Authority (CA), to identify one end or both end of the transactions. To be able to create an SSL connection a web server requires an SSL certificate. When you choose to activate SSL on your web server you will be prompted to complete a number of questions about the identity of your website and your company. Your web server then creates two cryptographic keys - a Private Key and a Public Key. certificate. This should require no special action from your Certificate Authority as this is done as part of the certificate generation process with keytool.exe.

    Note:

    You require keytool.exe for PaperCut MF version 14.0 and newer.

    An example is:

    keytool.exe -keystore "[app-path]/server/custom/my-ssl-keystore" -alias jetty -genkeypair -keyal RSA -ext san=dns:external.company.com

    Then, when asked for your "first and last name", enter the other FQDN:

    What is your first and last name?

    [Unknown]: internal.company.lan

    Confirm that the information is correct. You will see similar to:

    Is CN=internal.company.lan, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?

    Once you have received your certificate from your Certificate Authority you can confirm your "Subject" and "Subject Alternative Name" are valid. Make sure that you test the new certificate with multiple operating systems, browsers and hardware environments including laptops, mobile devices and printers/copiers.

Can I use other algorithms, such as SHA2/SHA256?

Yes. As we use keytool.exe, you can use the documentation above in Extended keytool.exe usage.

For example, generating the private SSL keyIn typical public key infrastructure (PKI) arrangements, a digital signature from a certificate authority (CA) attests that a particular public key certificate is valid (i.e., contains correct information). An SSL key can be either a public key (can be disseminated publicly) or a private key (known only to the owner).:

keytool -genkey -alias server -keyalg rsa -sigalg sha256withrsa -keysize 2048 -keystore sha256

and generating the CSR:

keytool -certreq -alias server -keystore sha256 -file 256.csr -sigalg sha256withrsa