Choose your language

Choose your login

Support

Enhance Print Deploy security with a CA-signed certificate

This page applies to:

For Mobility Print and Print Deploy:

  • Windows clients don’t trust self-signed certificates.

  • Chromebooks won’t send a print job at all unless the connection can be encrypted and a CA-signed certificate is used.

That means that, depending on your organization’s security best practices, you might need to set up your own CA-signed (public or private Certificate Authority) chained certificate.

Configure Print Deploy to use a CA-signed Certificate when you want to:

  • deploy PaperCut Mobility Print queues to Windows devices.

  • deploy print queues to Chromebooks.

  • use the best security standards for clients on the network to establish a secure connection

  • use a trusted certificate that will work seamlessly with any BYOD clients so there’s no need to push out a certificate through Group Policy or MDM.

Note that by default, Print Deploy generates a self-signed, zero-length chain certificate. Use this certificate to push out to:

  • Windows clients through Group Policy or MDM.

  • Chromebook clients through the Google Admin interface.

If required, you can prevent Print Deploy clients from connecting to a Print Deploy server that has an untrusted certificate. You can set this up via a config key on the client, the installer, or on the server (which will override the config value set for the client).

Refer to Enable SSL certificate checking for more details on setting this up.

Certificate files

The Print Deploy server requires two files to be able to serve content via HTTPS. Your CA (Certificate Authority) provider might have already made these available to you.

  • tls.cer (Public Certificate - base64 encoded)

  • tls.pem (Private Key - base64 encoded)

If you use Print Deploy to deploy a PaperCut Mobility Print queue to Chromebooks or to a Windows client machine, it’s best to use either:

  • a publicly CA-signed base64-encoded PEM format certificate

  • your own base64-encoded PEM format chained certificate.

Print Deploy supports RSA and ECSDA (using the secp384r1 or prime256v1 Elliptic curves) encryption.

If you need more help with certificates, contact your CA vendor.

Before you start

If your CA provider has already made the tls.cer and tls.pem files available for download, you can go straight to Install a CA-signed certificate on the Print Deploy server .

If not, go to the optional tasks listed below, choose the ones applicable to your environment, and follow those instructions first.

For either solution you also have the option to create your own self-signed chained certificate with ‘certstrap’ .

Install a CA-signed certificate

Install a CA-signed certificate on the Print Deploy server

Follow these steps:

  1. Place the custom certificate (tls.cer and tls.pem files) in the [app-path]\providers\print-deploy\[os]\data\cert-custom folder.

    (Create the cert-custom folder if it does not exist).

  2. Start the Print Deploy service.

  3. Verify the installation:

    1. Navigate directly to the Print Deploy web interface. Use the Common Name (or Host Name) that you specified in the certificate on the dedicated Print Deploy port, for example: https://print-server.company.lan:9174/ .

      This is not the usual PaperCut NG/MF Administration console and is useful for testing.

    2. Check that the browser displays an animated coffee cup and no security warnings. If the cup displays, everything’s fine.

    3. To check that it was picked up by the server in the logs, navigate to [app-dir]/providers/print-deploy/[os]/data/logs and open the print-deploy-server.log file. You should see a log line that looks like this:

    using certificate for server at /Applications/PaperCut MF/providers/print-deploy/mac/data/cert-custom/tls.cer
    with private key at /Applications/PaperCut MF/providers/print-deploy/mac/data/cert-custom/tls.pem
    Verify that the path of the certificate is in `data/cert-custom`
    

(Optional) Convert a *.p12/*.pfx to base64 encoded PEM format

We’re assuming that you’ve already obtained a trusted SSL certificate and key from your Certificate Authority provider and they are in the form of a p12/pfx file.

In the steps below you will start out with a PKCS#12 file (this is a common certificate file format that contains both the X..509 certificate and private key), then you will convert it to the base64-encoded PEM format that Print Deploy uses.

To start with you’ll need to separate the components of the certificate key bundle using PEM encoding for the key. The exact steps for this may be different if your certificate bundle uses another format. The process depends on the type of bundle you have. Also, you’ll need to know the bundle’s import password because you’re going to need it soon.

  1. Run the following command to export the key from the certificate key bundle.

    openssl pkcs12 -in certname.pfx -nocerts -out tlspw.pem

  2. Run the following command to remove the PEM pass phrase from the last step.

    openssl rsa -in tlspw.pem -out tls.pem

  3. Run the following command to export the certificate from the certificate key bundle.

    openssl pkcs12 -in certname.pfx -nokeys -out tls.cer

    The following files are now in your current working directory ready to use with PaperCut Print Deploy and PaperCut Mobility Print:

    • tls.cer (Public Certificate - base64 encoded)

    • tls.pem (Private Key - base64 encoded)

  4. For Print Deploy, go to Install a CA-signed certificate on the Print Deploy server above.

  5. For PaperCut Mobility Print, go to Install an SSL certificate on the Mobility Print server .

(Optional) Export a Public/Private Keypair from a Windows Certificate to PFX format

If you have an existing Public/Private keypair in a Windows Certificate store, you can export it and use it in Print Deploy or PaperCut Mobility Print.

To export the Public/Private keypair:

  1. Open the Certificate store:

    1. Press Windows + R.

    2. Type certlm.msc; then click OK.

  2. Navigate to the certificate location, usually Trusted Root Certification Authorities.

  3. Right-click the certificate.

  4. Click All Tasks > Export. The Certificate Export Wizard is displayed.

  5. Click Next.

  6. Select Yes, export the private key; then click Next.

  7. Ensure Personal Information Exchange - PKCS #12 (.PFX) is selected; then click Next.

  8. On the Security screen, select the Password checkbox and type a temporary password. It will be removed later.

  9. Click Next.

  10. Type a directory path and filename; then click Next. The final page is displayed.

  11. Click Finish. The message The export was successful is displayed.

  12. Click OK.

    The ‘pfx’ certificate is now in the directory path/filename you selected.

  13. Convert the pfx certificate to a base64 encoded PEM format .

(Optional) Install an SSL certificate on the Mobility Print server(s)

Complete these steps for each Mobility Print Server on your network.

  1. On the PaperCut Mobility Print server, stop the PaperCut Mobility Print service.

  2. Navigate to [mobility-install-path]\data. You’ll see the following:

    • tls.cer (certificate file)

    • tls.pem (private key file)

  3. Rename the current tls.cer and tls.pem files to .old so you have a backup copy of the original files.

  4. Copy your own public certificate and private key files and paste them into this data folder.

  5. Rename the public certificate file to tls.cer.

  6. Rename the private key file to tls.pem.

  7. Start the Mobility Print service.

  8. Verify the installation:

    1. Log in to the PaperCut NG/MF Admin web interface. Use the Common Name (or Host Name) that you specified in the certificate on the dedicated Print Deploy port, for example: https://print-server.company.lan:9164/ .

    2. Go to the Print Deploy page.

    3. Check that the browser displays an animated coffee cup and no security warnings. If the cup displays, everything’s fine.

Install the default self-signed certificate

Install a self-signed or private CA root certificate onto your Windows clients

At a high level, you can install the Print Deploy server self-signed certificate to the Trusted Root Certification Authorities on a Windows Client. In a managed Windows environment you can use your own toolset to deploy the certificate according to your existing workflows.

For an individual machine, follow these steps:

  1. On the server with PaperCut NG/MF, navigate to <application-directory>\providers\print-deploy\<os>\data.

  2. Copy the tls.cer file to your target machine.

  3. On the target machine, double-click tls.cer.

  4. Click Install Certificate.

    Screenshot showing the tls.cer file in the providersprint-deploywindata directory. The user has double clicked the file, so they see the additional 'Certificate' dialog with the 'Install Certificate' button highlighted.
  5. On the Welcome to the Certificate Import Wizard screen, click Next.

  6. Select the Place all certificates in the following store option; then click Browse.

  7. Select Trusted Root Certification Authorities; then click OK.

  8. Click Next.

  9. Click Finish.

  10. Click OK.

Install a self-signed or private CA root certificate onto managed Chromebooks

For Chromebook clients to be able to talk to the Print Deploy server, the Print Deploy server must use either a CA-signed certificate (recommended) or a trusted self-signed certificate with a valid chain.

To set up your certificate on the Chrome Enterprise admin console:

  1. Create your chained self-signed certificate and its private key.

  2. Navigate to [app-path]\providers\print-deploy\[os]\data. You’ll see the following:

    • tls.pem (certificate file)

    • tls.cer (private key file)

  3. Rename the current tls.cer and tls.pem files to .old so you have a backup copy of the original files.

  4. Copy your extracted public certificate and private key files and paste them into this data folder.

  5. Rename the public certificate file to tls.cer.

  6. Rename the private key file to tls.pem.

  7. Start the Print Deploy service.

  8. Follow the instructions on this Google Chrome Enterprise Help page to add the root certificate you used to sign the chained certificate in the Google Admin console.

  9. Test your changes:

    1. From one of your managed Chromebook’s browsers, access the Print Deploy page. Use the Common Name (or Host Name) that you specified in the certificate on the dedicated Print Deploy port, for example: https://print-server.company.lan:9174/

    2. Check that the browser displays an animated coffee cup and no security warnings. If it does, everything’s fine.

(Optional) Create your own self-signed chained certificate with ‘certstrap’

  1. Make sure you have a compiled and working version of certstrap.

  2. Initialize your ‘certstrap environment’. It creates an out folder relative to your current working directory.

    C:\certs>certstrap.exe init --common-name "private-ca.company.lan"
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:
    Created out/private-ca.company.lan.key
    Created out/private-ca.company.lan.crt
    Created out/private-ca.company.lan.crl
    Created out/private-ca.company.lan.crl
    
  3. Create your CSR (certificate signing request). You should have matching –common-name and -domain values at the least. If you need more details, refer to certstrap documentation.

    C:\certs>certstrap.exe request-cert --common-name "print-server.company.lan" -domain "print-server.company.lan","alternative-name.company.lan"
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:
    Created out/print-server.company.lan.key
    Created out/print-server.company.lan.csr
    
  4. Sign your newly created CSR.

    C:\certs>certstrap.exe sign print-server.company.lan --CA private-ca.company.lan
    Created out/print-server.company.lan.crt from
    out/print-server.company.lan.csr signed by
    out/private-ca.company.lan.key
    

    This leaves you with:

    print-server.company.lan.crl - Revocation list (you can ignore this)
    print-server.company.lan.key - Private key
    private-ca.company.lan.crt - CA Public Cert
    private-ca.company.lan.crl - CA Revocation list (you can ignore this)
    private-ca.company.lan.com.key - CA Private key
    
  5. Merge the CA public certificate into the newly created Public Certificate so that you supply both public certificates as part of the HTTPS negotiation.

    1. Open the Public Certificate in your preferred text editor.

    2. Open the CA public certificate in your preferred text editor.

    3. Copy the contents of the CA public certificate to the end of the Public Certificate.

    4. Save the new Public Certificate.

  6. Export the .crt to a .cer. You can do this (in Microsoft Windows) by double-clicking the .crt > Details tab > Copy to File > Next > Base-64 > “tls.cer”

  7. Rename or copy the print-server.company.lan.key to tls.pem.

    You now have the following files in the out directory ready to use with Print Deploy and PaperCut Mobility Print:

    • tls.cer (Public Certificate - base64 encoded)

    • tls.pem (Private Key - base64 encoded)

  8. For Print Deploy, go to Install a CA-signed certificate on the Print Deploy server .

    For PaperCut Mobility Print, go to Install a trusted SSL certificate on your Mobility Print server .

Comments