Use an existing trusted PaperCut NG/MFcertificate
If you have an existing trusted PaperCut NG/MF certificate, then based on the type of certificate, you can import it into the PaperCut NG/MF keystore:
-
On Windows, a certificate with an attached private key stored in either:
- the Windows certificate store
- a PKCS#12 file (*.p12/*.pfx)
-
On Linux, separate 'PEM encoded' key and certificate files.
To use existing trusted PaperCut NG/MF certificate:
- Export the existing trusted certificate and key
- Import the existing trusted certificate into the PaperCut NG/MF keystore
- Configure the PaperCut NG/MF keystore
Step 1: Export the existing trusted certificate and key
If you already have a PKCS#12 file, you do not need to perform this step.
The way in which you export your existing trusted certificate and key depends on where it is stored. One common method of exporting is via the Windows Certificate Store:
-
Open the Windows Control Panel; then select Internet Options.
-
On the Content tab, click Certificates.
-
On the Personal tab, select the certificate; then click Export.
-
Click Next at the initial screen.
-
Select Yes, export the private key; then click Next.
If you selected the last option correctly, you can export only as a .PFX file.
-
Select the Include all the certificates in the certification path if possible check box.
- Clear the Enable strong protection check box.
- Clear the Delete the private key if the export is successful check box.
-
Type a password for the PFX file. This is only used temporarily.
-
Save the PFX file with the extension .pfx. (This is just temporary, you MUST delete this file later on.)
-
Finish the wizard to export the certificate.
Step 2: Import the existing trusted certificate into the PaperCut NG/MF keystore
The way in which you import your trusted certificate into the PaperCut NG/MF keystore depends on the type of certificate you have:
PEM/CERT/CER file
-
In a command line, navigate to the create-ssl-keystore tool:
cd [app-path]/server/bin/win
-
Run the following create-ssl-keystore command after specifying values for relevant arguments:
create-ssl-keystore -f -k <keystore location> -cert <certificate file path> -key <key file path> -sig <signature> -keypass <keyfile password> -keystorepass <keystore password> -keystorekeypass <keystore key password> -certCA <certificate files> -bcCA “<SYSTEM-NAME>”
Example:For example, to create a keystore with a password from a key that has a password:
create-ssl-keystore -f -cert "path/to/pem-certificate.pem" -key "path/to/pem-key.pem" -keypass “password” -keystorepass “password”
Note: While the table below outlines some arguments of the create-ssl-keystore command, the --help command line option lists all the available arguments.create-ssl-keystore command arguments Description and values -f (optional) Overwrites any existing keystore file(s). -k <keystore location> Specify the location of keystore in to which the existing trusted PaperCut NG/MF key/ certificate is being imported.
If you don’t specify this value, the default location [app-path]/server/data/default-ssl-keystore is used.
-cert <certificate file path> (required) Specify the file name and location of the existing trusted PaperCut NG/MF certificate that is being imported into the keystore.
In conjunction with -key, this creates the keystore.
-key <key file path> (required) Specify the file name and location of the existing trustedPaperCut NG/MF key that is being imported into the keystore.
In conjunction with -cert, this creates the keystore.
-sig <signature> (optional) Specify the certificate signing algorithm that is used by the existing trusted PaperCut NG/MF key/ certificate that is being imported into the keystore.
Valid values: [sha256 | sha1].
If you don’t specify this value, the standard algorithm sha1 is used. This ensures backwards compatibility with 3rd party systems. For more information, see Can I use other algorithms such as SHA2/SHA256?-keypass <keyfile password> (required if the existing key already has a password) Specify the existing password of the existing PaperCut NG/MF key/ certificate that is being imported into the keystore.
-keystorepass <keystore password> (optional) Specify the password required to access the keystore.
If you don’t specify this value, the keystore password is default.
-keystorekeypass <keystore key password> (optional) Specify the password required to access the existing trusted PaperCut NG/MF key/ certificate that is being imported into the keystore.
If you don’t specify this value, the keystore key password is default.
-certCA (optional) Specify the name of the certificate authority that has issued the existing trusted PaperCut NG/MF key/ certificate that is being imported into the keystore. -bcCa (optional) Add the X.509 Basic Constraints CA extension. <SYSTEM-NAME> Specify the name of the computer/ server that is being used to create the keystore.
If you don’t specify this value, the current computer name is used.
PFX/PKCS#12 file
-
In a command line, navigate to the create-ssl-keystore tool:
cd [app-path]/server/bin/win
-
Run the following create-ssl-keystore command after specifying values for relevant arguments
create-ssl-keystore -f -k <keystore location> -p12 <PKCS12/PFX certificate file path> -p12pass <password for the PKCS12/PFX certificate file> -sig <signature> -keystorepass <keystore password> -keystorekeypass <keystore key password> -certCA <certificate files> -bcCA “<SYSTEM-NAME>”
Example:For example, to create a keystore with a password from a key that has a password:
create-ssl-keystore -f -p12 "path/to/pfx.pfx" -p12pass “password” -k "path/to/custom/folder/my-ssl-keystore" -keystorepass “password”
Note: While the table below outlines some arguments of the create-ssl-keystore command, the --help command line option lists all the available arguments.create-ssl-keystore command arguments Description and values -f (optional) Overwrites any existing keystore file(s). -k <keystore location> Specify the location of keystore in to which the existing trusted PaperCut NG/MF key/ certificate is being imported.
If you don’t specify this value, the default location [app-path]/server/data/default-ssl-keystore is used.
-p12 <PKCS12/PFX certificate file path> (required) Specify the file name and location of the existing trusted PaperCut NG/MF certificate that is being imported into the keystore.
-p12pass <password for the PKCS12/PFX certificate file> (required if the existing certificate already has a password) Specify the existing password of the existing PaperCut NG/MF key/ certificate that is being imported into the keystore.
-sig <signature> (optional) Specify the certificate signing algorithm that is used by the existing trusted PaperCut NG/MF key/ certificate that is being imported into the keystore.
Valid values: [sha256 | sha1].
If you don’t specify this value, the standard algorithm sha1 is used. This ensures backwards compatibility with 3rd party systems. For more information, see Can I use other algorithms such as SHA2/SHA256?-keystorepass <keystore password> (optional) Specify the password required to access the keystore.
If you don’t specify this value, the keystore password is default.
-keystorekeypass <keystore key password> (optional) Specify the password required to access the existing trusted PaperCut NG/MF key/ certificate that is being imported into the keystore.
If you don’t specify this value, the keystore key password is default.
-certCA (optional) Specify the name of the certificate authority that has issued the existing trusted PaperCut NG/MF key/ certificate that is being imported into the keystore. -bcCa (optional) Add the X.509 Basic Constraints CA extension. <SYSTEM-NAME> Specify the name of the computer/ server that is being used to create the keystore.
If you don’t specify this value, the current computer name is used.
Step 3: Configure the PaperCut NG/MF keystore
To configure the PaperCut Application ServerAn Application Server is the primary server program responsible for providing the PaperCut user interface, storing data, and providing services to users. PaperCut uses the Application Server to manage user and account information, manage printers, calculate print costs, provide a web browser interface to administrators and end users, and much more. to use the new key/certificate:
-
Copy your signed keystore onto the server running the PaperCut NG/MF Application Server. The suggested location is [app-path]/server/custom/my-ssl-keystore
-
Open the file [app-path]/server/server.properties with a text editor (e.g. Notepad).
-
Remove the # (hash) comment marker from all lines starting with:
server.ssl.keystore=
server.ssl.keystore-password=
server.ssl.key-password=
-
Define the following:
server.properties value Description server.ssl.keystore The location of your keystore. This must match the value specified by -k in create-ssl-keystore.
If you did not specify this value in create-ssl-keystore, leave it as default.
server.ssl.keystore-password The keystore password. This must match the value specified by -keystorepass in create-ssl-keystore.
If you did not specify this value in create-ssl-keystore, leave it as default.
server.ssl.key-password The keystore key password. This must match the value specified by -keystorekeypass in create-ssl-keystore.
If you did not specify this value in create-ssl-keystore, leave it as default.
- Save the file.Note: On Mac OS, for server.ssl.keystore, specify the FULL path to your keystore. For example, /Applications/PaperCut NG/MF/server/custom/my-ssl-keystore
-
Restart the PaperCut NG/MF Application Server.