This article lists the commands used to import your existing SSL certificates into PaperCut when running on Linux. This will allow the certificates to be used for accessing the web interfaces via HTTPS.
Many thanks to Matt Peacock of Belper School for contributing the steps for this Knowledge Base article!
Please note before following these instructions that all references to files with a specific version number will change with every PaperCut NG/MF update. If you specify the wrong file name you will get an error. Before starting we recommend that you navigate your lib folder by entering
ls ~papercut/server/lib or use tab completion to find the version shipped with your installation.
1. If you have separate PEM encoded key and certificate files, you will first need to convert them to a PKCS12 bundle as follows:
openssl pkcs12 -export -inkey keyfile.key -in cert.crt -out /tmp/pccert.pfx
Where keyfile.key is the location of your key file, cert.crt is the location of your certificate file and /tmp/pccert.pfx is the output PKCS12 bundle file.
2. Import the PKCS12 bundle into PaperCut as follows:
~papercut/runtime/linux-x64/jre/bin/java -classpath ~papercut/server/lib/jetty-pkcs12–8.1.16.v20140903.jar org.mortbay.jetty.server.ssl.PKCS12Import /tmp/pccert.pfx ~papercut/server/custom/my-ssl-keystore
3. To set up PaperCut to use the new certificate:
Uncomment the following lines, appending the output keystore password that you entered before.
server.ssl.keystore-password=<your keystore password>
server.ssl.key-password=<your keystore password again>
ii) Restart the PaperCut Application Server
. You should now be able to connect to your PaperCut
server using HTTPS.
Note that there can be a short delay between restarting the PaperCut service and HTTP/HTTPS connections becoming available.
Once you have verified that HTTPS connections are working, DELETE
the PKCS12 certificate file
(It is no longer necessary, and it contains your certificate’s private key, which should be kept secure.)
Under Options→General→Client Software
you can tell the client software to access the server via SSL/HTTPS by default, to increase security.
v) Depending on how your certificate has been issued, when you attempt to access the PaperCut web interface through the link on the user client tool, you may receive errors stating that ‘The name on the security certificate is invalid or does not match the name of the site’. To get rid of these errors you need to update the ‘server-name’ value in
“~papercut/client/client.properties” to reflect the name of the server that is specified in your web server certificate. This may simply be a case of supplying the fully qualified domain name instead of the ‘simple’ server name (i.e. ‘server.domain.com’ instead of just ‘server’).
Categories: Tips & Tricks, Security
Keywords: JSSE keystore, Jetty, Secure Socket Extension, certificate warning, browser security