Use an existing trusted SSL certificate for Mobility Print

Help! We get a certificate error when browsing to the web interface of our Mobility Print server! What should we do?”

About Mobility Print and Certificates

By default, the Mobility Print server will use a self-signed certificate. While the self-signed cert secures communication, using one means that users browsing to the Mobility Print Help Center on your server using HTTPS will see an untrusted certificate error.

(It’s important to point out that, generally, this isn’t a problem. Users aren’t exchanging their credentials with the Mobility Print server through the web interface, and admins can simply click through the certificate error to get to the login page of the server and the traffic will still be encrypted.)

If this worries you, however, there are two different solutions.

  • Consider sharing the link with your users instead to our Mobility Print Help Center which shows users how they can use Mobility Print on their devices. Our public page uses a trusted certificate that’s securely reachable over port 443.
  • It is also possible to install a custom certificate on your Mobility Print server, which allows admins and users to access the web interface of the server with HTTPS without facing a certificate error. Below we describe two different ways to create the certificate files and install them on the Mobility Print server using either KeyStore Explorer or OpenSSL.

Generate the certificate using KeyStore Explorer

You may already be familiar with KeyStore Explorer if you followed our guide Installing an SSL Certificate the Easy Way. You might be able to reuse that certificate if…

  • Mobility Print is installed on the same server where PaperCut is running.
  • You have a wildcard certificate, which should be valid for any server with the same domain name.

To do so, follow these steps:

  1. Open the KeyStore used by PaperCut using KeyStore Explorer.
  2. Right-click on the entry for the certificate, and choose Export then Export Certificate Chain.
  3. Set the Export Length option to Head Only, change the file name to tls.cer, then click Export.
  4. Right-click on the entry for the certificate, and choose Export then Export Private Key.
  5. Select OpenSSL as the Private Key Type.
  6. Uncheck “Encrypt” and rename the file to tls.pem. Then click Export.
  7. Copy the new tls.pem and tls.cer files to the data folder where PaperCut Mobility Print is installed. On a Windows server this might be C:\Program Files (X86)\PaperCut Mobility Print\data. Overwrite the existing files or copy them to another folder for safe keeping.
  8. Restart the Mobility Print server or restart the service.
  9. Navigate to the web interface of the Mobility Print server using https://yourmobilityservername:9164 to test out the new certificate.
  10. Lastly, we recommend setting the “Accessible IP address”, but set this to the Common Name (CN) or Subject Area Name (SAN) on your certificate. Why? Mobility Print uses this value in a few different areas to advertise it’s address. Setting this should prevent some situations where users get a certificate error in the browser because they accessed the server by IP address and not hostname.

Generate the certificate using OpenSSL

The certificate and private key used by the Mobility Print server for HTTPS connection are in PEM-encoded format. To use an existing trusted SSL key:

1. Export the existing certificate and key to PEM-encoded format.
2. Configure the Mobility Print server certificate.

Step 1: Separate the components of the certificate key bundle using PEM encoding for the key. The process depends on the type of bundle you have. Also, hopefully, you documented the bundle’s import password once upon a time because you’re going to need it soon.

  • Windows certificate store:
    1. Export the certificate and key as a PFX bundle by following Step 1: Export the existing certificate with key. Skip this step if you already have a .pfx file.
    2. Export the PEM-encoded key and certificate as described below.
  • A PKCS#12 file (*.p12/*.pfx):
    1. Run the command below to export the key from the certificate key bundle:
    openssl pkcs12 -in certname.pfx -nocerts -out tlspw.pem
    2. Next, remove the PEM pass phrase from the last step:
    openssl rsa -in tlspw.pem -out tls.pem
    3. Finally, export the certificate from the certificate key bundle:
    openssl pkcs12 -in certname.pfx -nokeys -out tls.cer

Step 2: Configure the Mobility Print server certificate

1. On the Mobility Print server, stop the PaperCut Mobility Print service.
2. Navigate to: C:\<Mobility Print install path>\data\. You’ll see the following:
  • tls.cer (certificate file)
  • tls.pem (private key file)
3. Make a backup of the current tls.cer and tls.pem by renaming them both to .old so you have a copy of the original files
4. Copy your extracted certificate and private key files to this folder.
5. Rename your certificate file to tls.cer and the private key file to tls.pem.
6. Start the PaperCut Mobility Print service .
7. Access the Mobility Print Admin interface using the Common Name (or Host Name) that you’ve specified in the certificate.

Technical details on supported certificates and key formats

As of version V1.0.3103 the Mobility Print server supports certificate and a variety of key formats. These need to be encoded in PEM format and the keys be not password encrypted.

  • PKCS#8 private keys (based on RSA or EC, typically contain “BEGIN PRIVATE KEY” header)
  • PKCS#1 private keys (RSA keys, typically contain “BEGIN RSA PRIVATE KEY” header)
  • Private keys based on Elliptic Cryptography (typically contain “BEGIN EC PRIVATE KEY” header)
  • PEM key data can contain PEM parameter blocks (eg. “BEGIN EC PARAMETERS”)

A word of caution

Prior to V1.0.3103 the private key format was limited and we have heard of customers following these instructions only to discover that when they try to print from Chromebooks, users will see an error in the browser: “Printing failed. Please check your printer and try again.”

If that is happening, then these log messages should be present in the Mobility Print server logs:

2020/07/16 09:39:40 mobility-print.exe: STDOUT|ERROR: Requested to decrypt but private key is not present {"src":"cert.go:161"}
2020/07/16 09:39:40 mobility-print.exe: STDOUT|ERROR: Error decrypting document name, err=private key not found {"src":"chrome_encryption.go:99"}
2020/07/16 09:39:40 mobility-print.exe: STDOUT|ERROR: Failed to decrypt document: {"client":"chrome","err":{}} {"src":"printing.go:133"}

This has been seen to happen when the private key is not correctly formatted for Mobility Print. A temporary solution is to revert back to using the default self-signed certificates bundled with Mobility Print.

Still have questions?

Let us know! We’re definitely happy to chat about how Mobility Print works. Feel free to leave a comment below or visit our Support Portal for assistance. Also, check out the Mobility Print Help Center.

Categories: How-to Articles, Mobility Print, Security and Privacy

[-Keywords: Mobility Print, SSL, Certificate, HTTPS]