Browser Certificate Warnings and Errors

PaperCut automatically generates an SSL/HTTPS certificate during the install process. This certificate is subsequently used to encrypt sensitive data, and to secure the HTTPS based web access. Web browsers may however raise the following warnings about the certificate:

1. The certificate is not signed or can’t be validated by a trusted authority.

2. The certificate name does not match the server/host name.

The 1st error occurs because the certificate is self-signed (not signed by an external authority). This means that the user will need to manually accept the certificate, or alternatively add it to the browsers trusted servers list. Organizations using Active Directory and Group Policies may find the following web article on deploying a certificate via group policy useful. An alternate approach is to replace the self-signed key with an officially signed key. This is an advanced process and detailed in Appendix A.

The 2nd error does not usually occur as PaperCut will automatically detect the hostname and generate a certificate to match. It may however occur if the server is externally accessed via alternate name, such as a fully qualified name. The name mismatch warning can be fixed by regenerating the certificate as detailed in Appendix A.

Certificate Expired Warnings

The default self-signed certificate generated by PaperCut on installation has an expiration date set 9999 years in the future. So it will not expire. If you are receiving a certificate expired warning when accessing PaperCut you must have installed a custom certificate which has now expired. Custom certificates signed by official signing authorities typically have a 1 year expiration period, so they must be renewed yearly and re-installed into PaperCut.

To fix these warning messages you will need to renew your certificate with your certificate authority, and install the new certificate as described in the SSL key generation section in the manual.