Available in PaperCut NG and PaperCut MF.

Purchase and install a new trusted certificate

If you do not already have a certificate signed by a trusted authority, and you would like to use one, you need to purchase the signed certificate and then install it on PaperCut NG/MF

To purchase and install a signed SSLSecure Sockets Layer (SSL) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. The protocol uses a third party, a Certificate Authority (CA), to identify one end or both end of the transactions. To be able to create an SSL connection a web server requires an SSL certificate. When you choose to activate SSL on your web server you will be prompted to complete a number of questions about the identity of your website and your company. Your web server then creates two cryptographic keys - a Private Key and a Public Key. certificate:

If you already have a signed SSL keyIn typical public key infrastructure (PKI) arrangements, a digital signature from a certificate authority (CA) attests that a particular public key certificate is valid (i.e., contains correct information). An SSL key can be either a public key (can be disseminated publicly) or a private key (known only to the owner). and certificate for the domain name of the PaperCut Application ServerAn Application Server is the primary server program responsible for providing the PaperCut user interface, storing data, and providing services to users. PaperCut uses the Application Server to manage user and account information, manage printers, calculate print costs, provide a web browser interface to administrators and end users, and much more., see Importing an existing SSL key.

Step 1: Create the SSL keystore and create the private key

  1. Open a command prompt window and change to the directory [app-path]/runtime/jre/bin.

  2. Delete any existing files called 'my-ssl-keystore' in this directory, as they are likely leftovers from previous attempts.

  3. Enter the following command to produce the SSL key:

    keytool -keystore [app-path]\server\custom\my-ssl-keystore -alias jetty -genkeypair -keyalg RSA


    This process creates a 'my-ssl-keystore' file. Don't lose this file! You need it when adding the public key later. We recommend making a copy of this 'my-ssl-keystore' and keeping it in a safe place. If it is lost or changed, your certificate needs to be re-issued, often resulting in costs from your Certificate Authority. If you are renewing your SSL certificate, review Renewing your SSL certificate


    Some organizations require larger key sizes than the default 1024 bit. In this case add the "-keysize 2048" or "-keysize 4096" parameter to the end of the above command line.

    You will be asked a series of questions.

  4. Answer the questions asked by the tool:

    • For keystore password, choose 'password' or another simple password, as it is not important. Enter the same password again later when asked for a key password.

    • for first and last name, enter the exact fully-qualified domain name of the PaperCut NG/MF Application Server. The server name must be the exact one that users will enter into their browsers to access PaperCut NG/MF's web interface, e.g. 'printing.myschool.edu'.

    • Depending on the certification authority's requirements, you might also need to fill in some of the other fields.

      Enter keystore password: password

      What is your first and last name?

      [Unknown]: printing.myschool.edu

      What is the name of your organizational unit?


      What is the name of your organization?


      What is the name of your City or Locality?


      What is the name of your State or Province?


      What is the two-letter country code for this unit?


      Is CN=printing.myschool.edu, OU=Unknown, O=Unknown,

      L=Unknown, ST=Unknown, C=Unknown correct?

      [no]: yes

      Enter key password for <jetty>

      (RETURN if same as keystore password): password

Step 2: Submit the Certificate Signing Request (CSR)

  1. Prepare your new SSL key for certification by the certificate authority:

    keytool -certreq -alias jetty -keystore [app-path]\server\custom\my-ssl-keystore

    -file [app-path]\server\custom\jetty.csr

  2. Paste the contents of the resulting jetty.csr into the online order forms of commercial certificate authorities or pass them to your organization's own certificate authority.

    When the certification process has completed, the authority provides you with a certificate file that you can download from the authority's web site. The filename usually ends in .crt, .cer or .cert. The contents of the file should look something like this:



    ... more here ...

    Awjhfz9EfxN2l1UYP15xZZyNO4DO3X/LliCG9pdFf4hUHl8tRnhQBvRR1F0v9UHB PC6L9jNjMbQUoQ9NG/S8Nn7ZcSHNy+P53ntIBaEfTv7+qvXNWvSb5wj4pd05wGF1

    Bw== -----


  3. Save the file as jetty.crt.


    If you have not already, take the opportunity now to backup your my-ssl-keystore at this time.

Step 3: Install the certificate(s)

  1. Before you can make use of your newly obtained certificate, you might have to import the certificate authorities "root certificate". PaperCut comes with a number of root certificates pre-installed that you can list using the following command (from the directory [app-path]/runtime/jre/bin ):

    keytool -keystore ../lib/security/cacerts -storepass changeit -list

    Add the option "-v" at the end to obtain the same list with more details, such as expiration dates.

    If your certificate authority is not listed there, or you have been notified that they have recently started using new root certificates, first import the certificate authority's root certificate into your keystore before importing your newly obtained own certificate. The CA's root certificate is available for download on the CA's web site as a file ending on .pem or .crt. Save the file using a filename indicative of the CA's name, e.g. globaltrust.pem. Import the root certificate using this command, specifying an alias that is indicative of the CA's name (type this all in one line):

    keytool -keystore [app-path]\server\custom\my-ssl-keystore -importcert -alias globaltrustroot -file globaltrustroot.pem

    When asked whether to trust this certificate, answer yes:

    Trust this certificate? [no]: yes

    Some certificate authorities also provide additional "intermediate certificates" that must be imported the same way as the root certificate. You should use a different alias each time. For example:

    keytool -keystore [app-path]\server\custom\my-ssl-keystore -importcert -alias globaltrustinter -file globaltrustinter.pem

  2. Import your own certificate previously saved as jetty.crt (type this all in one line):

    keytool -keystore [app-path]\server\custom\my-ssl-keystore -import -alias jetty -file jetty.crt -trustcacerts

    Your new keystore file my-ssl-keystore is now ready.


    The 'my-ssl-keystore' in the above command is the original my-ssl-keystore you created earlier.

  3. Ensure the keystore file is in [app-path]/server/custom/.

Step 4: Configure the PaperCut NG/MF keystore

To configure the PaperCut Application Server to use the new key/certificate:

  1. Copy your signed keystore onto the server running the PaperCut NG/MF Application Server. The suggested location is [app-path]/server/custom/my-ssl-keystore

  2. Open the file [app-path]/server/server.properties with a text editor (e.g. Notepad).

  3. Locate the section titled SSL Key/Certificate.

  4. Remove the # (hash) comment marker from all lines starting with:




  5. Define the following:

    server.properties value Description


    The location of your keystore. This must match the value specified by -k in create-ssl-keystore.

    If you did not specify this value in create-ssl-keystore, leave it as default.


    The keystore password. This must match the value specified by -keystorepass in create-ssl-keystore.

    If you did not specify this value in create-ssl-keystore, leave it as default.


    The keystore key password. This must match the value specified by -keystorekeypass in create-ssl-keystore.

    If you did not specify this value in create-ssl-keystore, leave it as default.

  6. Save the file.


    On Mac OS, for server.ssl.keystore, specify the FULL path to your keystore. For example, /Applications/PaperCut NG/MF/server/custom/my-ssl-keystore

  7. Restart the PaperCut NG/MF Application Server.