17.4 Manual
You are here: Administration > Tools - database, server-command scripting, and APIs (Advanced) > Generate an SSL/HTTPS key > Use an existing trusted SSL certificate specifically for PaperCut MF

Use an existing trusted SSL certificate specifically for PaperCut MF

If you have an existing SSL keyIn typical public key infrastructure (PKI) arrangements, a digital signature from a certificate authority (CA) attests that a particular public key certificate is valid (i.e., contains correct information). An SSL key can be either a public key (can be disseminated publicly) or a private key (known only to the owner). with certificate, you can import it into the PaperCut MF keystore. The process depends on the type of certificate you have:

  • On Windows, a certificate with an attached private key stored in either:

    • the Windows certificate store
    • a PKCS#12 file (*.p12/*.pfx)

  • On Linux, separate 'PEM encoded' key and certificate files.

To use an existing trusted SSLSecure Sockets Layer (SSL) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. The protocol uses a third party, a Certificate Authority (CA), to identify one end or both end of the transactions. To be able to create an SSL connection a web server requires an SSL certificate. When you choose to activate SSL on your web server you will be prompted to complete a number of questions about the identity of your website and your company. Your web server then creates two cryptographic keys - a Private Key and a Public Key. key:

Step 1: Export the existing certificate with key

The way in which you export your existing trusted key depends on where it is stored:

ClosedWindows certificate store

  1. Open the Windows Control Panel; then select Internet Options.

  2. On the Content tab, click Certificates.

  3. On the Personal tab, select the certificate; then click Export.

  4. Click Next at the initial screen.

  5. Select Yes, export the private key; then click Next.

    If you selected the last option correctly, you can export only as a .PFX file.

  6. Select the Include all the certificates in the certification path if possible check box.

  7. Clear the Enable strong protection check box.
  8. Clear the Delete the private key if the export is successful check box.

  9. Type a password for the PFX file. This is only used temporarily.

  10. Save the PFX file with the extension .pfx. (This is just temporary, you MUST delete this file later on.)

  11. Finish the wizard to export the certificate.

ClosedSeparate PEM encoded key and certificate files

On Linux, if the key and certificate are in separate 'PEM encoded' files:

  • Use the 'OpenSSL' tool that is part of many Linux distributions to combine both files to a PKCS#12 file with the following command (type this all in one line):

    openssl pkcs12 -export -inkey <key file> -in <certificate file> -out <pfx file>

    <pfx file> is the target PKCS#12 file for which you should choose a filename with the extension .pfx. Note: This is just temporary, you MUST delete this file later on.

Note:

If you already have a PKCS#12 file, you do not need to perform this step.

Step 2: Import the certificate into the PaperCut MF keystore

The way in which you import your trusted certificate into the PaperCut MF keystore depends on the type of certificate you have:

ClosedPEM/CERT/CER file
  1. Use the tool create-ssl-keystore to import the key/certificate. An example of the command's use:

    cd [app-path]/server/bin/win

    create-ssl-keystore -f -cert <certificate file path> -key <key file path> -keypass <keyfile passwordkeyfile>

    More information is available via the --help command line option.

    Usage: create-ssl-keystore [-f] [-cert FILE] [-key FILE] [-keypass PWD] [-certCA FILE....]

    -f: Force. Overwrite any existing keystore file.

    -cert FILE: Creates a keystore for a given custom certificate file.

    Must be used in conjunction with -key argument.

    -key FILE: Creates a keystore for a given custom private key file.

    -keypass pwd: Specifies the password accompanying the private key.

    -certCA FILE: Specifies one or more optional issuer (CA) certificate to include

ClosedPFS/PKCS#12 file
  1. Use the tool create-ssl-keystore to import the key/certificate. An example of the command's use:

    cd [app-path]/server/bin/win

    create-ssl-keystore -f -p12 "path/to/pfx.pfx" -p12pass password -k "path/to/custom/folder/my-ssl-keystore"

    More information is available via the --help command line option.

    Usage: create-ssl-keystore [-f] [-p12 FILE] [-p12pass PWD] [-k FILE

    -f: Force. Overwrite any existing keystore file.

    in the default location (server/data/default-ssl-keystore).

    -p12 FILE: Creates a keystore for a given custom private key file.

    -p12pass pwd: Specifies the password accompanying the private key.

    -k FILE: Define a keystore file location. If not set, the keystore is created

Step 3: Configure the PaperCut MF keystore

Important:

Changes are not applied until the PaperCut MF Application ServerAn Application Server is the primary server program responsible for providing the PaperCut user interface, storing data, and providing services to users. PaperCut uses the Application Server to manage user and account information, manage printers, calculate print costs, provide a web browser interface to administrators and end users, and much more. is restarted.

To configure the PaperCut Application Server to use the new key/certificate:

  1. Copy your signed keystore onto the server running the PaperCut MF Application Server. The suggested location is [app-path]/server/custom/my-ssl-keystore

  2. Open the file [app-path]/server/server.properties with a text editor (e.g. Notepad).

  3. Locate the section titled SSL Key/Certificate.

  4. Remove the # (hash) comment marker from all lines starting with "server.ssl".

  5. Define the location of your keystore, keystore password and key password as chosen previously. The file should look something like this:

    server.ssl.keystore=custom/my-ssl-keystore

    server.ssl.keystore-password=default

    server.ssl.key-password=default

    NOTE: On Mac OS, specify the FULL path to your keystore, e.g. /Applications/PaperCut MF/server/custom/my-ssl-keystore

  6. Restart the PaperCut MF Application Server and verify all is working. If the server fails to start, error messages are recorded in logs located in the server's logs directory.

Important:

Now that you have a working SSL certificateSSL certificates are small data files that digitally bind a cryptographic key to an organization’s details, such as a company's domain name, your company name, your address, your city, your state and your country. When installed on a web server, it activates the padlock and the HTTPS protocol (over port 443) and allows secure connections from a web server to a browser. When a browser connects to a secure site it retrieves the site's SSL certificate and checks that it has not expired, it has been issued by a Certification Authority the browser trusts, and that it is being used by the website for which it has been issued. If it fails on any one of these checks the browser will display a warning to the end user letting them know that the site is not secured by SSL. SSL certificates can be either self-signed or CA signed. for your PaperCut MF server, it's time to set a reminder in your calendar (or similar) to ensure that your SSL certificate is renewed before it expires! Go do that now!

We are here to help

As a company full of techies we know how important a well supported product is.

Contact Support

© 2017 Copyright PaperCut Software International 1999-2017   |   Privacy Policy

PaperCut MF version 17.4