Choose your language

Choose your login

Support

Use an existing trusted PaperCut NG/MF certificate

This page applies to:

If you have an existing trusted PaperCut NG/MF certificate, then based on the type of certificate, you can import it into the PaperCut NG/MF keystore:

  • On Windows, a certificate with an attached private key stored in either:

    • the Windows certificate store

    • a PKCS#12 file (*.p12/*.pfx)

  • On Linux, separate ‘PEM encoded’ key and certificate files.

To use existing trusted PaperCut NG/MF certificate:

  1. Export the existing trusted certificate and key .

  2. Import the existing trusted certificate into the PaperCut NG/MF keystore .

  3. Configure the PaperCut NG/MF keystore .

Step 1: Export the existing trusted certificate and key

The way in which you export your existing trusted certificate and key depends on where it is stored. One common method of exporting is via the Windows Certificate Store:

  1. Open the Windows Control Panel; then select Internet Options.

  2. On the Content tab, click Certificates.

  3. On the Personal tab, select the certificate; then click Export.

  4. Click Next at the initial screen.

  5. Select Yes, export the private key; then click Next.

    If you selected the last option correctly, you can export only as a .PFX file.

  6. Select the Include all the certificates in the certification path if possible check box.

  7. Clear the Enable strong protection check box.

  8. Clear the Delete the private key if the export is successful check box.

  9. Type a password for the PFX file. This is only used temporarily.

  10. Save the PFX file with the extension .pfx. (This is just temporary, you MUST delete this file later on.)

  11. Finish the wizard to export the certificate.

Step 2: Import the existing trusted certificate into the PaperCut NG/MF keystore

The way in which you import your trusted certificate into the PaperCut NG/MF keystore depends on the type of certificate you have:

PEM/CERT/CER file
  1. In a command line, navigate to the create-ssl-keystore tool:

    cd [app-path]/server/bin/win
    
  2. Run the following create-ssl-keystore command after specifying values for relevant arguments:

    create-ssl-keystore -f -k <keystore location> -keystoreentry <entry> -cert <certificate file path> -key <key file path> -sig <signature> -keypass <keyfile password> -keystorepass <keystore password> -keystorekeypass <keystore key password> -certCA <certificate files> -bcCA “<SYSTEM-NAME>”
    

    EXAMPLE

    For example, to create a keystore with a password from a key that has a password:

    create-ssl-keystore -f -cert "path/to/pem-certificate.pem" -key "path/to/pem-key.pem" -keypass “password” -keystorepass “password”
    
create-ssl-keystore command argumentsDescription and values

-f

(optional) Overwrites any existing keystore file(s).

-k <keystore location>

Specify the location of keystore in to which the existing trusted PaperCut NG/MF key/ certificate is being imported.

If you don’t specify this value, the default location [app-path]/server/data/default-ssl-keystore is used.

-keystoreentry <entry>

(required) Specify the entry of the existing trusted PaperCut NG/MF key/ certificate that is being imported into the keystore.

Valid values: [standard] (9192); [highsec] (9195)

-cert <certificate file path>

(required) Specify the file name and location of the existing trusted PaperCut NG/MF certificate that is being imported into the keystore.

In conjunction with -key, this creates the keystore.

-key <key file path>

(required) Specify the file name and location of the existing trustedPaperCut NG/MF key that is being imported into the keystore.

In conjunction with -cert, this creates the keystore.

-sig <signature>

(optional) Specify the certificate signing algorithm that is used by the existing trusted PaperCut NG/MF key/ certificate that is being imported into the keystore.
Valid values: [sha256 | sha1].
If you don’t specify this value, the standard algorithm sha1 is used. This ensures backwards compatibility with 3rd party systems. For more information, see Can I use other algorithms such as SHA2/SHA256?

-keypass <keyfile password>

(required if the existing key already has a password) Specify the existing password of the existing PaperCut NG/MF key/ certificate that is being imported into the keystore.

-keystorepass <keystore password>

(optional) Specify the password required to access the keystore.

If you don’t specify this value, the keystore password is default.

-keystorekeypass <keystore key password>

(optional) Specify the password required to access the existing trusted PaperCut NG/MF key/ certificate that is being imported into the keystore.

If you don’t specify this value, the keystore key password is default.

-certCA

(optional) Specify the name of the certificate authority that has issued the existing trusted PaperCut NG/MF key/ certificate that is being imported into the keystore.

-bcCa

(optional) Add the X.509 Basic Constraints CA extension.

<SYSTEM-NAME>

Specify the name of the computer/ server that is being used to create the keystore.

If you don’t specify this value, the current computer name is used.

PFX/PKCS#12 file
  1. In a command line, navigate to the create-ssl-keystore tool:

    cd [app-path]/server/bin/win
    
  2. Run the following create-ssl-keystore command after specifying values for relevant arguments

    create-ssl-keystore -f -k <keystore location> -keystoreentry <entry> -p12 <PKCS12/PFX certificate file path> -p12pass <password for the PKCS12/PFX certificate file> -sig <signature>  -keystorepass <keystore password> -keystorekeypass <keystore key password> -certCA <certificate files> -bcCA “<SYSTEM-NAME>”
    

    EXAMPLE

    For example, to create a keystore with a password from a key that has a password:

    create-ssl-keystore -f -p12 "path/to/pfx.pfx" -p12pass “password” -k "path/to/custom/folder/my-ssl-keystore" -keystorepass “password”
    
create-ssl-keystore command argumentsDescription and values

-f

(optional) Overwrites any existing keystore file(s).

-k <keystore location>

Specify the location of keystore in to which the existing trusted PaperCut NG/MF key/ certificate is being imported.

If you don’t specify this value, the default location [app-path]/server/data/default-ssl-keystore is used.

-keystoreentry <entry>

(required) Specify the entry of the existing trusted PaperCut NG/MF key/ certificate that is being imported into the keystore.

Valid values: [standard] (9192); [highsec] (9195)

-p12 <PKCS12/PFX certificate file path>

(required) Specify the file name and location of the existing trusted PaperCut NG/MF certificate that is being imported into the keystore.

-p12pass <password for the PKCS12/PFX certificate file>

(required if the existing certificate already has a password) Specify the existing password of the existing PaperCut NG/MF key/ certificate that is being imported into the keystore.

-sig <signature>

(optional) Specify the certificate signing algorithm that is used by the existing trusted PaperCut NG/MF key/ certificate that is being imported into the keystore.
Valid values: [sha256 | sha1].
If you don’t specify this value, the standard algorithm sha1 is used. This ensures backwards compatibility with 3rd party systems. For more information, see Can I use other algorithms such as SHA2/SHA256?

-keystorepass <keystore password>

(optional) Specify the password required to access the keystore.

If you don’t specify this value, the keystore password is default.

-keystorekeypass <keystore key password>

(optional) Specify the password required to access the existing trusted PaperCut NG/MF key/ certificate that is being imported into the keystore.

If you don’t specify this value, the keystore key password is default.

-certCA

(optional) Specify the name of the certificate authority that has issued the existing trusted PaperCut NG/MF key/ certificate that is being imported into the keystore.

-bcCa

(optional) Add the X.509 Basic Constraints CA extension.

<SYSTEM-NAME>

Specify the name of the computer/ server that is being used to create the keystore.

If you don’t specify this value, the current computer name is used.

Step 3: Configure the PaperCut NG/MF keystore

To configure the PaperCut Application Server to use the new key/certificate:

  1. Copy your signed keystore onto the server running the PaperCut NG/MF Application Server. The suggested location is [app-path]/server/custom/my-ssl-keystore

  2. Open the file [app-path]/server/server.properties with a text editor (for example, Notepad).

  3. Locate the section titled SSL Key/Certificate.

  4. Remove the # (hash) comment marker from all lines starting with:

    server.ssl.keystore=

    server.ssl.keystore-password=

    server.ssl.key-password=

  5. Define the following:

    server.properties valueDescription

    server.ssl.keystore

    The location of your keystore. This must match the value specified by -k in create-ssl-keystore.

    If you did not specify this value in create-ssl-keystore, leave it as default.

    server.ssl.keystore-password

    The keystore password. This must match the value specified by -keystorepass in create-ssl-keystore.

    If you did not specify this value in create-ssl-keystore, leave it as default.

    server.ssl.key-password

    The keystore key password. This must match the value specified by -keystorekeypass in create-ssl-keystore.

    If you did not specify this value in create-ssl-keystore, leave it as default.

  6. Save the file.

  7. Restart the PaperCut NG/MF Application Server.

Comments