Purchase and install a trusted SSL certificate
If you do not already have a certificate signed by a trusted authority, and you would like to use one, you need to purchase the signed certificate and then install it on PaperCut MF
- Create the SSL keystore and create the private key
- Submit the Certificate Signing Request (CSR)
- Install the certificate(s)
- Configure the PaperCut MF keystore
If you already have a signed SSL keyIn typical public key infrastructure (PKI) arrangements, a digital signature from a certificate authority (CA) attests that a particular public key certificate is valid (i.e., contains correct information). An SSL key can be either a public key (can be disseminated publicly) or a private key (known only to the owner). and certificate for the domain name of the PaperCut Application ServerAn Application Server is the primary server program responsible for providing the PaperCut user interface, storing data, and providing services to users. PaperCut uses the Application Server to manage user and account information, manage printers, calculate print costs, provide a web browser interface to administrators and end users, and much more., see Importing an existing SSL key.
Step 1: Create the SSL keystore and create the private key
-
Open a command prompt window and change to the directory [app-path]/runtime/jre/bin.
-
Delete any existing files called 'my-ssl-keystore' in this directory, as they are likely leftovers from previous attempts.
-
Enter the following command to produce the SSL key:
keytool -keystore [app-path]\server\custom\my-ssl-keystore -alias jetty -genkeypair -keyalg RSA
Caution:This process creates a 'my-ssl-keystore' file. Don't lose this file! You need it when adding the public key later. We recommend making a copy of this 'my-ssl-keystore' and keeping it in a safe place. If it is lost or changed, your certificate needs to be re-issued, often resulting in costs from your Certificate Authority. If you are renewing your SSL certificate, review Renewing your SSL certificate
Note:Some organizations require larger key sizes than the default 1024 bit. In this case add the "-keysize 2048" or "-keysize 4096" parameter to the end of the above command line.
You will be asked a series of questions.
-
Answer the questions asked by the tool:
- For keystore password, choose 'password' or another simple password, as it is not important. Enter the same password again later when asked for a key password.
- for first and last name, enter the exact fully-qualified domain name of the PaperCut MF Application Server. The server name must be the exact one that users will enter into their browsers to access PaperCut MF's web interface, e.g. 'printing.myschool.edu'.
-
Depending on the certification authority's requirements, you might also need to fill in some of the other fields.
Enter keystore password: password
What is your first and last name?
[Unknown]: printing.myschool.edu
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:
Is CN=printing.myschool.edu, OU=Unknown, O=Unknown,
L=Unknown, ST=Unknown, C=Unknown correct?
[no]: yes
Enter key password for <jetty>
(RETURN if same as keystore password): password
Step 2: Submit the Certificate Signing Request (CSR)
-
Prepare your new SSL key for certification by the certificate authority:
keytool -certreq -alias jetty -keystore [app-path]\server\custom\my-ssl-keystore
-file [app-path]\server\custom\jetty.csr
-
Paste the contents of the resulting jetty.csr into the online order forms of commercial certificate authorities or pass them to your organization's own certificate authority.
When the certification process has completed, the authority provides you with a certificate file that you can download from the authority's web site. The filename usually ends in .crt, .cer or .cert. The contents of the file should look something like this:
-----BEGIN CERTIFICATE----- MIIDLTCCApagAwIBAgIQJc/MOTjAW0HrPI/4rGtDCDANBgkqhkiG9w0BAQUFADCB
hzELMAkGA1UEBhMCWkExIjAgBgNVBAgTGUZPUiBURVNUSU5HIFBVUlBPU0VTIE9O
... more here ...
Awjhfz9EfxN2l1UYP15xZZyNO4DO3X/LliCG9pdFf4hUHl8tRnhQBvRR1F0v9UHB PC6L9jNjMbQUoQ9NG/S8Nn7ZcSHNy+P53ntIBaEfTv7+qvXNWvSb5wj4pd05wGF1
Bw== -----
END CERTIFICATE-----
-
Save the file as jetty.crt.
Caution:If you have not already, take the opportunity now to backup your my-ssl-keystore at this time.
Step 3: Install the certificate(s)
-
Before you can make use of your newly obtained certificate, you might have to import the certificate authorities "root certificate". PaperCut comes with a number of root certificates pre-installed that you can list using the following command (from the directory [app-path]/runtime/jre/bin ):
keytool -keystore ../lib/security/cacerts -storepass changeit -list
Add the option "-v" at the end to obtain the same list with more details, such as expiration dates.
If your certificate authority is not listed there, or you have been notified that they have recently started using new root certificates, first import the certificate authority's root certificate into your keystore before importing your newly obtained own certificate. The CA's root certificate is available for download on the CA's web site as a file ending on .pem or .crt. Save the file using a filename indicative of the CA's name, e.g. globaltrust.pem. Import the root certificate using this command, specifying an alias that is indicative of the CA's name (type this all in one line):
keytool -keystore [app-path]\server\custom\my-ssl-keystore -importcert -alias globaltrustroot -file globaltrustroot.pem
When asked whether to trust this certificate, answer yes:
Trust this certificate? [no]: yes
Some certificate authorities also provide additional "intermediate certificates" that must be imported the same way as the root certificate. You should use a different alias each time. For example:
keytool -keystore [app-path]\server\custom\my-ssl-keystore -importcert -alias globaltrustinter -file globaltrustinter.pem
-
Import your own certificate previously saved as jetty.crt (type this all in one line):
keytool -keystore [app-path]\server\custom\my-ssl-keystore -import -alias jetty -file jetty.crt -trustcacerts
Your new keystore file my-ssl-keystore is now ready.
Caution:The 'my-ssl-keystore' in the above command is the original my-ssl-keystore you created earlier.
-
Ensure the keystore file is in [app-path]/server/custom/.
Step 4: Configure the PaperCut MF keystore
Changes are not applied until the PaperCut MF Application Server is restarted.
To configure the PaperCut Application Server to use the new key/certificate:
-
Copy your signed keystore onto the server running the PaperCut MF Application Server. The suggested location is [app-path]/server/custom/my-ssl-keystore
-
Open the file [app-path]/server/server.properties with a text editor (e.g. Notepad).
-
Locate the section titled SSL Key/Certificate.
-
Remove the # (hash) comment marker from all lines starting with "server.ssl".
-
Define the location of your keystore, keystore password and key password as chosen previously. The file should look something like this:
server.ssl.keystore=custom/my-ssl-keystore
server.ssl.keystore-password=default
server.ssl.key-password=default
NOTE: On Mac OS, specify the FULL path to your keystore, e.g. /Applications/PaperCut MF/server/custom/my-ssl-keystore
-
Restart the PaperCut MF Application Server and verify all is working. If the server fails to start, error messages are recorded in logs located in the server's logs directory.
Now that you have a working SSL certificate for your PaperCut MF server, it's time to set a reminder in your calendar (or similar) to ensure that your SSL certificate is renewed before it expires! Go do that now!