SSL with PaperCut and Keystore Explorer

KB Home   |   SSL with PaperCut and Keystore Explorer

Setting up PaperCut to use SSL/TLS can be fairly complicated if you take the command line approach and can sometimes lead to a few cups of coffee being needed before it works. To take the pain away, there is an easier method you can use thanks to a free tool called Keystore Explorer.

Setting up Keystore Explorer

Download and install the latest release of Keystore Explorer from: http://www.keystore-explorer.org/downloads.html

Depending on the version of JRE you have installed, Keystore Explorer might ask you to update Java’s cryptography Libraries. Follow the prompts and it will guide you through this.

The video below demonstrataes how to set up Keystore Explorer

Creating a new Certificate

1) Click Create a new KeyStore

2) Select JKS, then click OK

3) click the Generate Key Pair icon to generate a Key Pair

4) Select RSA, then set the Key Size for your new certificate to either 2048 or 4096
5) Click OK

6) In the Validity Period field, set how long the certificate will be valid for
7) Click the address book icon

8) In the Common Name field, enter the Fully Qualified Domain Name (link users will access) for your PaperCut server. Fill out the other fields according to your organiaztion’s details, then click OK

9) Click OK
10) In the Enter Alias field, set an alias so you know what the key is for, then click OK

11) Set the password for your key, then click OK

The video below demonstrates how to create a new certificate:

Generating a Certificate Signing Request (CSR) and importing the response

1) Right-click on your Key Pair, then select Generate CSR

2) In the CSR File field, set the output path for the CSR, then click OK

3) Apply for a certificate with your Certificate Authority (CA) by providing them the CSR.

4) The CA will provide your new certificate, plus one or more “CA certs” (the certificate of the CA, and maybe their upstream CA, etc.). If they have provided a “bundle” (all the certs in the one file). Otherwise, choose the file that represents your certificate. Right-click the key, then select Import CA Reply then select From File and browse to the chosen certificate file (probably .crt)

If there are several separate certificate files, you might need to edit the certificate chain to ensure all the certificates are in there. Get in touch if you need a hand.

5) Save your Keystore.

6) Set the password for your Keystore, then click OK

7) Copy the saved Keystore to [install-path]/server/custom/
8) Edit [install-path]/server/server.properties and change the values below to match your filename and passwords and remember to remove the # signs to enable these keys.

server.ssl.keystore=custom/papercut-keystore
server.ssl.keystore-password=papercut
server.ssl.key-password=papercut

9) Restart the PaperCut Application Server service and check https://papercut:9192/admin

If you donít see any errors, congratulations! You can now reward yourself with a coffee. If you see an error message, send an email to support@papercut.com then grab a coffee. Most of the time, we will have replied before you have made it back to your desk.

The video below demonstrates how to generate a CSR:

Importing an Existing Certificate

1) Click Create a new Key Store

2) Select JKS, then click OK

3) Click the Import Key Pair icon

4) Select the type of certificate you are using, then click OK

This is normally PKCS12 (.pfx, .p12), but it depends on where your certificate came from.

5) Click Details to verify the certificate. If you get an error, it could be the password or the wrong certificate type

pkcs12 import

pkcs8 import

6) In the Enter Alias field, enter an alias for the newly imported Certificate, then click OK

7) Set a password for the key, then click OK

8) Save the Keystore

9) Set a password for the Keystore, then click OK

10) Copy the saved Keystore to [install-path]/server/custom/
11) Edit [install-path]/server/server.properties and change the values below to match your filename and passwords and remember to remove the # signs to enable these keys.

server.ssl.keystore=custom/papercut-keystore
server.ssl.keystore-password=papercut
server.ssl.key-password=papercut

12) Restart the PaperCut Application Server service and check https://papercut:9192/admin

If you donít see any errors, congratulations! You can now reward yourself with a coffee. If you see an error message, send an email to support@papercut.com then grab a coffee. Most of the time, we will have replied before you have made it back to your desk.


Categories: Security


Keywords: SSL, Security, Keystore Explorer, Certificate

Comments

Share your findings and experience with other PaperCut users. Feel free to add comments and suggestions about this Knowledge Base article. Please don't use this for support requests.

Article last modified on October 27, 2017, at 07:48 PM
Printable View   |   Article History   |   Edit Article