SHA1 error message on Konica Minolta

KB Home   |   SHA1 error message on Konica Minolta

As of firmware G00-Q1, an error message on the Konica Minolta device panel states the following:
“Certificate has been signed with SHA1. Are you sure you want to continue?”

This may be seen on the Konica Minolta device when the PaperCut server is using a SHA1 certificate. By default PaperCut ships with a SHA1 signed certificate, as there are a number of devices which only support SHA1 communication, so a default PaperCut installation may produce this error. Seeing this message on at the device is undesirable, however, as it may confuse users. There are a few solutions to this problem that we’ll cover below:

NOTE: If you are not seeing the pictured error message at your KM device panel, you can skip to suppressing the warning in the PaperCut admin console, see the steps below at the bottom of the page.

Upgrade to SHA256 certificate:

The easiest and recommended solution is to upgrade the PaperCut server certificate to be encrypted with SHA256. This is a more secure level of encryption and will prevent this error message from appearing on the device.

NOTE: The following commands only apply if you’re using a default PaperCut self-signed certificate. If you’re using a non-default certificate, reach out to your vendor who has supplied a certificate to make sure its encryption strength is SHA256 or higher.

To upgrade the PaperCut server’s default certificate, perform the following:

1. In a command line, run as Administrator and then navigate to the create-ssl-keystore tool:
2. cd [app-path]/server/bin/win
3. Backup the old keystore by going to “<PAPERCUT_MF_DIRECTORY>/server/data” and renaming “default-ssl-keystore”.
4. Run the create-ssl-keystore tool specifying the values you want to customize. See the table below for a list of the available arguments.
5. create-ssl-keystore -f -k <keystore location> -sig sha256 -keystorepass <keystore password> -keystorekeypass <keystore key password> -bcCA <SYSTEM-NAME>
6. For example, to stop the “Domain mismatch warning”, you need to specify the fully-qualified domain in the <SYSTEM-NAME> argument:
7. create-ssl-keystore -f “myserver.fullname.com”

For more information, check out the link to the manual below: https://www.papercut.com/products/ng/manual/common/topics/tools-ssl-key-generation-recreate-self-signed.html

This solution will not work, however, for devices that do not support SHA256 encrypted certificates, as they will not be able to communicate with the PaperCut server. If the site contains any of the following devices, one of the other solutions below will need to be taken instead.

In this scenario, this is an option to set up a site server which serves a SHA1 certificate, and meanwhile upgrade the main PaperCut server’s certificate to SHA256. In order to perform this, create a site server and migrate all the SHA1 only devices to that server. Then perform the steps above on the main PaperCut server. Reach out to your PaperCut reseller for assistance in setting the Site Server environment.

Once you have done this, perform the steps to suppress the warning in the PaperCut admin console by following the steps below:

Suppressing the warning in the PaperCut Admin console:

You can suppress the warning in the PaperCut Admin console, on the Device tab, Device Details section. This is done by going to the Advanced Config tab for that device, set ext-device.konica-minolta.browser.show-sha1-message to N.

Comments

Share your findings and experience with other PaperCut users. Feel free to add comments and suggestions about this Knowledge Base article. Please don't use this for support requests.

Article last modified on May 23, 2018, at 07:48 AM
Printable View   |   Article History   |   Edit Article