Is SSL a rusty lock?

Ah … my tax time again! What a complicated mess that is! “Enjoyment” only matched by one thing: Managing web server SSL certificates and dealing with the corresponding certificate authorities!

As PaperCut system administrators like Geoff from Colorado, John from Illinois or Robert from Iowa have recently found, managing SSL certificates can end up making doing your taxes look fun. This is in no small part due to the bureaucratic nature of the so-called X.509 and PKCS standards, which are as onerous as their names make them sound! Further more, it’s exacerbated by the shenanigans of “certificate authorities” – those self-proclaimed guardians of Internet security that have somehow conspired with Microsoft and Mozilla to create a protection racket that charges each web master hundreds of dollars* for their web site to come up “green”… for a year only… then rinse, and repeat.

Not befitting its central role in The Grand Scheme of All Things Internet, the list of 20 or so certificate authorities dividing this booty remain sheepishly hidden in the deeper folds of Windows under
Control Panel -> Internet Properties -> Content -> Certificates -> Trusted Root Certification Authorities.
System administrators wanting to provide validated HTTPS access to PaperCut’s end-user web pages (where users can perform various print management tasks) will have to create an SSL key for their domain. This key must be signed by one of these authorities.

The instructions in PaperCut’s manual on how to import SSL certificates trying to be as general as possible to accommodate all certificate authorities. However that doesn’t prevent some of them from making system administrators’ lives extra difficult by inflicting distractions such as:

Expired/changed root certificates: A certificate authority’s root certificate is normally created once and maintained for ‘life’ – where ‘life’ means ‘decades’ – certainly a long time on the Internet. This justifies the arduous process of distributing it to all operating systems, browsers, mobile devices etc. in the first place and ensures its integrity through broad public availability. Some authorities have nonetheless taken to signing customers’ keys with new root certificates long before the old established ones had expired.

Being a cross-platform solution, PaperCut maintains a list of root certificates independently of the operating system. These certificates are used to ensure integrity of the certificate chain. A new root certificates may or may not have reached wide circulation and in particular, may or may have not made it into PaperCut’s list. In case it didn’t, it is the system administrator’s responsibility to obtain the new root certificate from the authority and install it with the help of the command line provided in the manual.

Intermediate certificates: As an additional layer of bureaucracy, some certificate authorities sign customers’ keys with an intermediate certificate which in turn is signed with the root certificate. These intermediate certificate usually have shorter life times than root certificates, exist in larger numbers – several per authority – and although also mandated to be present in PaperCut’s list are less likely to be included in it to begin with. If an intermediate certificate has been used, it must also be installed as above.

Other formats: Like a siren luring the errant wanderer into the treacherous swamps of eternal doom the certificate authority might tempt the customer with certificates presented in ‘additional’ formats like PKCS#7. PKCS#7 promises to simplify the certificate import process by bundling the customer’s certificate with intermediate certificates which can be imported in one go. This may or may not work, but one thing’s for sure, it’s one more condition to lead to more confusion!

At this point the inclined system administrator may start to question the logic behind all this. My advice in the interest of avoiding a headache and maintaining overall health and sanity is: Don’t! As with all thing imposed on one from above, be it taxes or X.509, the best thing one can do is smile and play along.

Whew! Now back to those taxes …

Lock and chain image from Bala on Flickr / CC-BY-SA

“A mathematician”, according to the late Hungarian mathematician Alfred Renyi, “is a device for turning coffee into theorems”. Seems like good old Alfred knew a thing or two about intellectual work, he and colleague Paul Erdos of Erdos number fame were known to consume copious amounts of the stuff. With work at PaperCut occasionally requiring a brain cell or two, it is no coincidence that the location for PaperCut’s R&D facilities was chosen to be in close proximity to a strategic source of this magic potion that fuels all activity in making, supporting and maintaining Print Control Software: Cafe Vermeer.

Not officially on PaperCut’s payroll due to the secretive, high priority nature of their mission, Cafe Vermeer’s Rosalina and Eric are on stand-by 8 hours a day wielding advanced machinery to whip coffee beans into a state consumable by PaperCut’s demanding and discerning coders should their BCC* drop below minimum comfort levels. Caffeine demands tend to culminate in twice-daily coffee pilgrimages, mid-morning and mid-afternoon, although a debate on whether coffee should be consumed French-style right after lunch or English-tea-style later in the afternoon has been causing a division in the office population along lines of provenance (Being of German origin, I subscribe to the former).

Haunting memories linger at PaperCut from when Vermeer was closed for a day forcing the indignity of sourcing second-tier material from so-called ‘other cafes’ in the area. This shows that the consistent quality of the caffeinated and the occasional cocoa-flavored beverages fabricated in Cafe Vermeer is a secret ingredient in the consistent quality of PaperCut’s software and support. So is their effort of maintaining the coffee preference chart mapping our developer’s names to their default coffee order so one can stay focused on semantics of the ‘volatile’ keyword in Java version 1.3 which …. ah but this story will be told another time.

So what about the 21st century corollary to the mathematician coffee thesis: “a software developer is a device for turning coffee into code”? Were our Hungarian mathematicians alive today, they would surely agree.

*blood caffeine concentration

What sets working at PaperCut apart from run-of-the-mill jobs is the fair balance of hands-on customer care and high-minded technical development that everyone here gets involved in. (Well that and the free gourmet coffee.) In other companies out there these activities are usually separated into separate departments, which more often than not results in some sort of Chinese Wall that makes sure customers’ concerns get preciously little attention in product development.

In “The Power of the Marginal” technology entrepreneur and writer Paul Graham writes about the competitive advantage of companies thus structured: “The needs of customers and the means of satisfying them are all in one head.” In practice that means that at PaperCut, the customer’s question about a printer that seems not to be supported and the resulting update to the software that is being delivered to them by email are not more than a few hours apart. Bigger features may take a few weeks but we don’t usually refuse any functionality that has been demanded by at least 5 or so of our customers. And while other software products will entertain you with messages like “Error 0x800051ef has occurred”, error messages in PaperCut come with a one-click button that will deliver detailed information directly onto the developer’s desk so that the problem can be pinned down on the spot and the answer emailed back to the customer.

This is also why I recommend our customers to subscribe to Upgrade Assurance, where at little additional cost to their license they get a first-row seat in this feedback loop and can focus on their actual work, knowing that their print accounting will be kept up-and-running for years to come.

A big hello to the world and PaperCut’s customers. As a new developer on the PaperCut team I am excited to be part of the new directions in which development of PaperCut’s Print Management Software is progressing. So many things to sort out on the first day! Where is the coffee? Where is the stationery supply cabinet? And where are the umlauts and accents on the keyboard?

Wait a minute, umlauts? That’s correct, I am looking forward to catering especially to our German- and French-speaking customers’ concerns. So please hold for these important messages:

Guten Tag! Ich freue mich, unseren deutschsprechenden Kunden als direkter Ansprechpartner im Team von PaperCut zur Verfügung zu stehen.    

Bonjour à nos clients français et francophones. N’hésitez pas de me contacter avec vos besoins et soucis. 

Stay tuned to this frequency for more news from myself in the upcoming weeks.