Importing SSL Certificates in Linux

KB Home   |   Importing SSL Certificates in Linux

This article lists the commands used to import your existing SSL certificates into PaperCut when running on Linux. This will allow the certificates to be used for accessing the web interfaces via HTTPS.

The following information was contributed by Matt Peacock of Belper School, a power user of PaperCut NG.


1. If you have separate PEM encoded key and certificate files, you will first need to convert them to a PKCS12 bundle as follows:

openssl pkcs12 -export -inkey keyfile.key -in cert.crt -out /tmp/pccert.pfx
Where keyfile.key is the location of your key file, cert.crt is the location of your certificate file and /tmp/pccert.pfx is the output PKCS12 bundle file.

2. Import the PKCS12 bundle into PaperCut as follows:

~papercut/runtime/linux-x64/jre/bin/java -classpath ~papercut/server/lib/jetty-6.1.22.jar org.mortbay.jetty.security.PKCS12Import /tmp/pccert.pfx ~papercut/server/custom/my-ssl-keystore
Note that the version number on jetty-6.1.22 may change with different versions of PaperCut. If you get an error try doing an ls ~papercut/server/lib or use tab completion to find the version shipped with your installation.

3. To set up PaperCut to use the new certificate:

i) Edit ~papercut/server/server.properties
Uncomment the following lines, appending the output keystore password that you entered before.
server.ssl.keystore=custom/my-ssl-keystore
server.ssl.keystore-password=<your keystore password>
server.ssl.key-password=<your keystore password again>
ii) Restart the PaperCut Application Server. You should now be able to connect to your PaperCut server using HTTPS.
Note that there can be a short delay between restarting the PaperCut service and HTTP/HTTPS connections becoming available.
iii) Once you have verified that HTTPS connections are working, DELETE the PKCS12 certificate file /tmp/pccert.pfx
(It is no longer necessary, and it contains your certificate’s private key, which should be kept secure.)
iv) Under Options→General→Client Software you can tell the client software to access the server via SSL/HTTPS by default, to increase security.
v) Depending on how your certificate has been issued, when you attempt to access the PaperCut web interface through the link on the user client tool, you may receive errors stating that ‘The name on the security certificate is invalid or does not match the name of the site’. To get rid of these errors you need to update the ‘server-name’ value in “~papercut/client/client.properties” to reflect the name of the server that is specified in your web server certificate. This may simply be a case of supplying the fully qualified domain name instead of the ‘simple’ server name (i.e. ‘server.domain.com’ instead of just ‘server’).

See also:


Categories: Tips & Tricks, Security


Keywords: JSSE keystore, Jetty, Secure Socket Extension, certificate warning, browser security

Comments

Share your findings and experience with other PaperCut users. Feel free to add comments and suggestions about this Knowledge Base article. Please don't use this for support requests.

Article last modified on May 09, 2017, at 04:31 AM
Printable View   |   Article History   |   Edit Article