Customize the PaperCut NG self-signed certificate
During the install process, PaperCut NG generates a self-signed key/certificate issued for the host's machine name. This key is used by default when the system is accessed via HTTPS on port 9192.
The default SSL certificateSSL certificates are small data files that digitally bind a cryptographic key to an organization’s details, such as a company's domain name, your company name, your address, your city, your state and your country. When installed on a web server, it activates the padlock and the HTTPS protocol (over port 443) and allows secure connections from a web server to a browser. When a browser connects to a secure site it retrieves the site's SSL certificate and checks that it has not expired, it has been issued by a Certification Authority the browser trusts, and that it is being used by the website for which it has been issued. If it fails on any one of these checks the browser will display a warning to the end user letting them know that the site is not secured by SSL. SSL certificates can be either self-signed or CA signed. provides good security, however, users will be presented with the “Domain mismatch warning” when they access the HTTPS site using a fully-qualified domain. This section describes how to customize the self-signed key/certificate so that the “Domain mismatch warning” is not displayed.
The “Certificate has not been signed by a trusted authority” warning will still be displayed. To avoid that message, you need use a certificate signed by a trusted authority. For more information see Use a certificate signed by a trusted authority.
Use the tool create-ssl-keystore to recreate the key/certificate (stored in a keystore file) for a different hostname, eliminating the browser domain mismatch warning. An example of the command's use:
create-ssl-keystore -f "myserver.fullname.com"
More information is available via the --help command line option.
Usage: create-ssl-keystore [-f] [-k FILE] [SYSTEM_NAME]
-f Force: Overwrite any existing keystore file.
-k FILE: Define a keystore file location. If not set the keystore is created in the default location (server/data/default-ssl-keystore).
SYSTEM_NAME: The name of the computer/server used to generate keystore. If not defined, the current computer name is used.Note:
If you use the -k option, you also need to:Configure PaperCut NG to use the new certificateImportant:
Changes are not applied until the PaperCut NG Application ServerAn Application Server is the primary server program responsible for providing the PaperCut user interface, storing data, and providing services to users. PaperCut uses the Application Server to manage user and account information, manage printers, calculate print costs, provide a web browser interface to administrators and end users, and much more. is restarted.
To configure the PaperCut Application Server to use the new key/certificate:
Copy your signed keystore onto the server running the PaperCut NG Application Server. The suggested location is [app-path]/server/custom/my-ssl-keystore
Open the file [app-path]/server/server.properties with a text editor (e.g. Notepad).
Locate the section titled SSLSecure Sockets Layer (SSL) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. The protocol uses a third party, a Certificate Authority (CA), to identify one end or both end of the transactions. To be able to create an SSL connection a web server requires an SSL certificate. When you choose to activate SSL on your web server you will be prompted to complete a number of questions about the identity of your website and your company. Your web server then creates two cryptographic keys - a Private Key and a Public Key. Key/Certificate.
Remove the # (hash) comment marker from all lines starting with "server.ssl".
Define the location of your keystore, keystore password and key password as chosen previously. The file should look something like this:
NOTE: On Mac OS, specify the FULL path to your keystore, e.g. /Applications/PaperCut NG/server/custom/my-ssl-keystore
Restart the PaperCut NG Application Server and verify all is working. If the server fails to start, error messages are recorded in logs located in the server's logs directory.
Now that you have a working SSL certificate for your PaperCut NG server, it's time to set a reminder in your calendar (or similar) to ensure that your SSL certificate is renewed before it expires! Go do that now!
- Restart the Application Server.
For backwards compatibility with 3rd party systems the default self-signed certificate is generated with a SHA1 algorithm. See Can I use other algorithms such as SHA2/SHA256?