SSL/HTTPS Key Generation
Prev Appendix A. Tools (Advanced) Next

SSL/HTTPS Key Generation

Configuring SSL can be a confusing experience of encryption keys, certificates, protocols and formats. During the install process, PaperCut NG generates an unsigned key/certificate issued for the host's name. This is used by default when the system is accessed via HTTPS on port 9192. On some networks it may be desirable access the server via a fully qualified domain name rather than just the server's local name. Most browsers will allow access to an HTTPS server under a different name however the user will be notified of a domain mismatch error. The tool create-ssl-keystore can be used to re-issue the key/certificate (stored in a keystore file) under a different hostname eliminating the mismatch error. An example of the command's use: 

    cd [app_path]/server/bin/win
    create-ssl-keystore -f "myserver.fullname.com"

More information is available via the --help command line option. 

Usage: create-ssl-keystore [-f] [-k FILE] [SYSTEM_NAME]

   -f        Force. Overwrite any existing keystore file.

   -k FILE:  Defile a keystore file location. If not set the keystore 
             is created in the default location 
             (server/data/default-ssl-keystore).

   SYSTEM_NAME: The name of the computer/server used to generate keystore.
                If not defined, the current computer name is used.

Using a custom SSL Key

Large organizations may wish to use their own SSL key signed and trusted certificate authority (CA). Such trusted CAs include: AddTrust, Entrust, GeoTrust, RSA Data Security, Thawte, VISA, ValiCert, Verisign, beTRUSTed, among others.

Caution

Configuring SSL and generating signed keystores is complex! The following documentation assumes that the reader has a good understanding of the SSL/HTTPS process and has configured SSL on other web based application servers such as Apache, IIS, or secured mail servers.

A good summary of the process of generating a PaperCut NG compatible certificate keystore is explained in detail on the Jetty HTTP Server website at: http://jetty.mortbay.org/jetty5/faq?s=400-Security&t=ssl

To configure the PaperCut NG Application Server to use the new key/certificate:

  1. Copy your signed keystore onto the server running the PaperCut NG Application Server. The suggested location is in the directory [app_path]/server/custom/.

  2. Open the file [app_path]/server/server.properties with a text editor (e.g. Notepad).

  3. Locate the section titled SSL/HTTP Configuration

  4. Remove the # (hash) comment maker from all server.ssl lines.

  5. Define the location of your keystore and the keystore and key password. The file should look something like this: 

        server.ssl.keystore=custom/server/my-ssl-keystore
    server.ssl.keystore-password=mypassword
    server.ssl.key-password=mypassword

  6. Restart the PaperCut NG Application Server and verify all is working. If the server fails to start, error messages will be recorded in logs located in the server's logs directory.

Prev Up Next
The XML Web Services API Home User Client Options

© Copyright 1999-2006. PaperCut Software Pty Ltd. All rights reserved.