Choose your language

Choose your login

Contact us

Set up an SSL/TLS certificate for Print Deploy

This page applies to:

This topic covers:

How to install a public CA (Certificate Authority) on your Print Deploy server

How to install a Private Self-Signed Certificate for Print Deploy

How to install a public CA (Certificate Authority) on your Print Deploy server

The certificate and private key used by the PaperCut NG/MF Print Deploy server for HTTPS connection are in PEM-encoded format. To use an existing trusted SSL key:

  1. Export the existing certificate and key to PEM-encoded format

  2. Configure the Print Deploy server certificate

Step 1: Export the existing certificate and key to PEM-encoded format

To start with you’ll need to separate the components of the certificate key bundle using PEM encoding for the key. The process depends on the type of bundle you have. Also, you’ll need to know the bundle’s import password because you’re going to need it soon.

Windows certificate store

  1. If you already have a .pfx file, skip this step. Otherwise, export the certificate and key as a PFX bundle by following the steps in the PaperCut NG/MF help for Step 1: Export the existing certificate with key .

  2. Export the PEM-encoded key and certificate.

A PKCS#12 file (*.p12/*.pfx)

  1. Run the command openssl pkcs12 -in certname.pfx -nocerts -out tlspw.pem to export the key from the certificate key bundle.

  2. Run openssl rsa -in tlspw.pem -out tls.pem to remove the PEM pass phrase from the last step.

  3. Run openssl pkcs12 -in certname.pfx -nokeys -out tls.cer to export the certificate from the certificate key bundle.

Step 2: Configure the Print Deploy server certificate

  1. On the PaperCut NG/MF Application Server, stop the Print Deploy service.

  2. Place the custom certificate (tls.cer and tls.pem files) in the [app-path]\providers\print-deploy\[os]\data\cert-custom folder.

    (Create the cert-custom folder if it does not exist).

  3. Start the Print Deploy service.

  4. Verify the installation:

    1. Navigate directly to the Print Deploy web interface. Use the Common Name (or Host Name) that you specified in the certificate on the dedicated Print Deploy port, for example: https://print-server.company.lan:9174/

      This is not the usual PaperCut NG/MF Administration console and is useful for testing.

    2. Check that the browser displays an animated coffee cup and no security warnings. If the cup displays, everything’s fine.

    3. To check that it was picked up by the server in the logs, navigate to [app-dir]/providers/print-deploy/[os]/data/logs and open the print-deploy-server.log file. You should see a log line that looks like this:

      using certificate for server at /Applications/PaperCut MF/providers/print-deploy/mac/data/cert-custom/tls.cer with private key at /Applications/PaperCut MF/providers/print-deploy/mac/data/cert-custom/tls.pem

      Verify that the path of the certificate is in data/cert-custom.

How to install a Private Self-Signed Certificate for Print Deploy

On Windows computers

At a high level, you can install the Print Deploy server self-signed certificate to the Trusted Root Certification Authorities on a Windows Client. In a managed Windows environment you can use your own toolset to deploy the certificate according to your existing workflows.

For an individual machine, follow these steps:

  1. On the server with PaperCut NG/MF, navigate to <PaperCut NG/MF install path>\providers\print-deploy\<os>\data.

  2. Copy the tls.cer file to your target machine.

  3. On the target machine, double-click tls.cer.

  4. Click Install Certificate.

    Screenshot showing the tls.cer file in the providersprint-deploywindata directory. The user has double clicked the file, so they see the additional 'Certificate' dialog with the 'Install Certificate' button highlighted.
  5. On the Welcome to the Certificate Import Wizard screen, click Next.

  6. Select the Place all certificates in the following store option; then click Browse.

  7. Select Trusted Root Certification Authorities; then click OK.

  8. Click Next.

  9. Click Finish.

  10. Click OK.

On managed Chromebooks

For Chromebook clients to be able to talk to the Print Deploy server using HTTPS, the Print Deploy server must either be using a CA-signed certificate (recommended) or a trusted self-signed certificate with a valid chain.

The default self-signed certificate that comes with the Print Deploy server isn’t chained, so you’ll need to sign your own certificate using your own certificate authority and public key infrastructure. There are several tools you can use to do this, including OpenSSL and certstrap .

After you’ve generated your chained self-signed certificate and its private key, follow the steps below to set up your certificate on the Chrome Enterprise admin console:

  1. If you haven’t already, convert your certificate to a Base-64 encoded X.509 (.cer) file .

  2. Navigate to <PaperCut NG/MF install path>\providers\print-deploy\<os>\data. You’ll see the following:

    • tls.pem (private key file)

    • tls.cer (certificate file)

  3. Make a backup of the current tls.cer and tls.pem by renaming them both to .old so you have a copy of the original files.

  4. Copy your certificate and private key to this folder.

  5. Rename your certificate file to tls.cer and the private key file to tls.pem.

  6. Restart the PaperCut Print Deploy service.

  7. On the Google Chrome Enterprise Help page, follow the instructions on how to set up your certificates on Chromebooks .

  8. After setting up your certificate on the Chrome Enterprise admin console, test your changes by accessing https://<your Print Deploy server’s hostname or IP>:9174 from one of your managed Chromebook’s browsers. If everything is fine, the browser displays an animated coffee cup with no security warnings.

Comments