SHA1 error message on Konica Minolta

As of firmware G00-Q1, an error message on the Konica Minolta device panel states the following:
“Certificate has been signed with SHA1. Are you sure you want to continue?”

This may be seen on the Konica Minolta device when the PaperCut server is using a SHA1 certificate. By default PaperCut ships with a SHA1 signed certificate, as there are a number of devices which only support SHA1 communication, so a default PaperCut installation may produce this error. Seeing this message on at the device is undesirable, however, as it may confuse users. There are a few solutions to this problem that we’ll cover below:

NOTE: If you are not seeing the pictured error message at your KM device panel, you can skip to suppressing the warning in the PaperCut admin console, see the steps below at the bottom of the page.

Upgrade to SHA256 certificate:

The easiest and recommended solution is to upgrade the PaperCut server certificate to be encrypted with SHA256. This is a more secure level of encryption and will prevent this error message from appearing on the device.

NOTE: The following commands only apply if you’re using a default PaperCut self-signed certificate. If you’re using a non-default certificate, reach out to your vendor who has supplied a certificate to make sure its encryption strength is SHA256 or higher.

To upgrade the PaperCut server’s default certificate, perform the following:

1. In a command line, run as Administrator and then navigate to the create-ssl-keystore tool:
2. cd [app-path]/server/bin/win
3. Backup the old keystore by going to “<PAPERCUT_MF_DIRECTORY>/server/data” and renaming “default-ssl-keystore”.
4. For a standard PaperCut install that has not been modified, open an administrative command prompt and execute the following command:
create-ssl-keystore -f -sig sha256 -bcCA

You should expect to see the result:

Keystore file successfully created for: <your servername> at <PAPERCUT_MF_DIRECTORY>\server\data\default-ssl-keystore Restart the Application Server to apply the new SSL certificate.

For advanced admins or systems with non-standard elements please see below for a full explanation of the command.

To run the create-ssl-keystore tool specifying the values you want to customize. See the table below for a list of the available arguments. Ensure that for the ‘-sig’ argument, you specific the ‘sha256’ value.

create-ssl-keystore -f -k <keystore location> -sig sha256 -keystorepass <keystore password> -keystorekeypass <keystore key password> -bcCA <SYSTEM-NAME>
5. (OPTIONAL) If you specified the -k, -keystorepass, or -keystorekeypass arguments:
a. Open the file [app-path]/server/ with a text editor (e.g. Notepad).
b. Locate the section titled SSL Key/Certificate.
c. Remove the # (hash) comment marker from the line starting with server.ssl.keystore=.
d. Define the following properties:

NOTE: On Mac OS, for server.ssl.keystore, specify the FULL path to your keystore, e.g. /Applications/PaperCut NG/MF/server/custom/my-ssl-keystore

For more information, check out the link to the manual below:

This solution will not work, however, for devices that do not support SHA256 encrypted certificates, as they will not be able to communicate with the PaperCut server. Check with your PaperCut reseller or Authorised Solution Center to see if your Konica Minolta devices support SHA256.

If they don’t support SHA256, there is an option to set up a site server which serves a SHA1 certificate, and meanwhile upgrade the main PaperCut server’s certificate to SHA256. In order to perform this, create a site server and migrate all the SHA1 only devices to that server. Then perform the steps above on the main PaperCut server. Reach out to your PaperCut reseller for assistance in setting the Site Server environment.

Once you have done this, perform the steps to suppress the warning in the PaperCut admin console by following the steps below:

Suppressing the warning in the PaperCut Admin console:

You can suppress the warning in the PaperCut Admin console, on the Device tab, Device Details section. This is done by going to the Advanced Config tab for that device, set to N.

Categories: Troubleshooting Articles, Devices

Keywords: mf-only