Importing an SSL certificate from IIS
If you are using an SSL Certificate in IIS, you can configure PaperCut NG to use it as well. This will allow you to access PaperCut via HTTPS without seeing error messages about the certificate you are using.
See also:
- Importing an existing SSL key section of the user manual
- Importing SSL Certificates in Linux
The following article was contributed by Chris from Colchester Royal Grammar School, a power user of PaperCut NG.
To export your certificate from IIS:
1. Click Start->Run and type
mmc to start the Microsoft Management Console
2. Click File->Add/Remove Snap-in->Add
Select the Certificates snap-in, and select Computer Account and Local Computer
Click Close then OK to get back to the console root
3. Go into Certificates->Personal->Certificates
Right click the web server certificate and click All Tasks->Export
4. You see the Certificate Export Wizard
Click Next at the initial screen
Select 'Yes, export the private key' and click Next
If you selected the last option correctly, you will only be able to export as a .PFX file
TICK 'Include all the certificates in the certification path if possible'
UNTICK 'Enable strong protection'
UNTICK 'Delete the private key if the export is successful'
Type in a password for the PFX file. This is only used temporarily but it is still a good idea to use a strong password.
Save the PFX file to
C:\PCCert.pfx (Again, this is just temporary, you MUST delete this file later on)
Finish the wizard to export the certificate
5. Close the MMC console. You don't need to save the changes.
To import the certificate:
1. Run the following command (with spaces instead of carriage returns) (this is for version 9+, for older versions please upgrade first)
"C:\Program Files\PaperCut NG\runtime\jre\bin\java.exe"
-classpath "C:\Program Files\PaperCut NG\server\lib\jetty-6.1.19.jar"
org.mortbay.jetty.security.PKCS12Import
"C:\PCCert.pfx"
"C:\Program Files\PaperCut NG\server\custom\my-ssl-keystore"
(Note: The Jetty version number (6.1.19) changes from time to time. If you receive a "NoClassDefFoundError" message look for a jetty-*.jar file in the [app-path]/server/lib/ directory and update the command as appropriate)
2. You will be asked to enter the 'input keystore passphrase'. Enter the PFX password that you used earlier.
3. You will be asked to enter the 'output keystore passphrase'. Enter a new password.
This password is permanent, but it will need to be stored in plain text in a PaperCut configuration file.
Because of this, make up a new password rather than using an existing one.
To set up PaperCut to use the new certificate:
1. Edit
C:\Program Files\PaperCut NG\server\server.properties
Uncomment the following lines, appending the output keystore password that you entered before.
server.ssl.keystore=custom/my-ssl-keystore
server.ssl.keystore-password=<your keystore password>
server.ssl.key-password=<your keystore password again>
Restart the PaperCut Application Server. You should now be able to connect to your PaperCut server using HTTPS.
Note that there can be a short delay between restarting the PaperCut service and HTTP/HTTPS connections becoming available.
Once you have verified that HTTPS connections are working, DELETE
C:\PCCert.pfx
(It is no longer necessary, and it contains your certificate's private key, which should be kept secure at all costs.)
Under Options->General->Client Software you can tell the client software to access the server via SSL/HTTPS by default, to increase security.
Depending on how your certificate has been issued, when you attempt to access the PaperCut Web Interface through the link on the user client tool, you may receive errors stating that 'The name on the security certificate is invalid or does not match the name of the site'. To get rid of these errors you need to update the 'server-name' value in "C:\Program Files\PaperCut NG\client\client.properties" to reflect the name of the server that is specified in your web server certificate. This may simply be a case of supplying the fully qualified domain name instead of the 'simple' server name (i.e. 'server.domain.com' instead of just 'server').
Categories: Tips & Tricks, Security
Keywords: JSSE keystore, Jetty, Secure Socket Extension, certificate warning, browser security
Do you have any questions that I can help you with?
Page last modified on February 28, 2010, at 09:28 PM
© Copyright 1999-2010. PaperCut Software International Pty Ltd. All rights reserved.