Purchase and install a trusted SSL certificate
If you do not already have a certificate signed by a trusted authority, and you would like to use one, you need to purchase the signed certificate and then install it on PaperCut NG/MF
To purchase and install a signed SSL certificateSSL certificates are small data files that digitally bind a cryptographic key to an organization’s details, such as a company's domain name, your company name, your address, your city, your state and your country. When installed on a web server, it activates the padlock and the HTTPS protocol (over port 443) and allows secure connections from a web server to a browser. When a browser connects to a secure site it retrieves the site's SSL certificate and checks that it has not expired, it has been issued by a Certification Authority the browser trusts, and that it is being used by the website for which it has been issued. If it fails on any one of these checks the browser will display a warning to the end user letting them know that the site is not secured by SSL. SSL certificates can be either self-signed or CA signed.:
- Create the SSL keystore and create the private key
- Submit the Certificate Signing Request (CSR)
- Install the certificate(s)
- Configure the PaperCut NG/MF keystore
If you already have a signed SSL keyIn typical public key infrastructure (PKI) arrangements, a digital signature from a certificate authority (CA) attests that a particular public key certificate is valid (i.e., contains correct information). An SSL key can be either a public key (can be disseminated publicly) or a private key (known only to the owner). and certificate for the domain name of the PaperCut Application ServerAn Application Server is the primary server program responsible for providing the PaperCut user interface, storing data, and providing services to users. PaperCut uses the Application Server to manage user and account information, manage printers, calculate print costs, provide a web browser interface to administrators and end users, and much more., see Importing an existing SSL key.
Open a command prompt window and change to the directory [app-path]/runtime/jre/bin.
Delete any existing files called 'my-ssl-keystore' in this directory, as they are likely leftovers from previous attempts.
Enter the following command to produce the SSL key:
keytool -keystore [app-path]\server\custom\my-ssl-keystore -alias jetty -genkeypair -keyalg RSACaution:
This process creates a 'my-ssl-keystore' file. Don't lose this file! You need it when adding the public key later. We recommend making a copy of this 'my-ssl-keystore' and keeping it in a safe place. If it is lost or changed, your certificate needs to be re-issued, often resulting in costs from your Certificate Authority. If you are renewing your SSL certificate, review Renewing your SSL certificateNote:
Some organizations require larger key sizes than the default 1024 bit. In this case add the "-keysize 2048" or "-keysize 4096" parameter to the end of the above command line.
You will be asked a series of questions.
Answer the questions asked by the tool:
- For keystore password, choose 'password' or another simple password, as it is not important. Enter the same password again later when asked for a key password.
- for first and last name, enter the exact fully-qualified domain name of the PaperCut NG/MF Application Server. The server name must be the exact one that users will enter into their browsers to access PaperCut NG/MF's web interface, e.g. 'printing.myschool.edu'.
Depending on the certification authority's requirements, you might also need to fill in some of the other fields.
Enter keystore password: password
What is your first and last name?
What is the name of your organizational unit?
What is the name of your organization?
What is the name of your City or Locality?
What is the name of your State or Province?
What is the two-letter country code for this unit?
Is CN=printing.myschool.edu, OU=Unknown, O=Unknown,
L=Unknown, ST=Unknown, C=Unknown correct?
Enter key password for <jetty>
(RETURN if same as keystore password): password
Prepare your new SSL key for certification by the certificate authority:
keytool -certreq -alias jetty -keystore [app-path]\server\custom\my-ssl-keystore
Paste the contents of the resulting jetty.csr into the online order forms of commercial certificate authorities or pass them to your organization's own certificate authority.
When the certification process has completed, the authority provides you with a certificate file that you can download from the authority's web site. The filename usually ends in .crt, .cer or .cert. The contents of the file should look something like this:
-----BEGIN CERTIFICATE----- MIIDLTCCApagAwIBAgIQJc/MOTjAW0HrPI/4rGtDCDANBgkqhkiG9w0BAQUFADCB
... more here ...
Save the file as jetty.crt.Caution:
If you have not already, take the opportunity now to backup your my-ssl-keystore at this time.
Before you can make use of your newly obtained certificate, you might have to import the certificate authorities "root certificate". PaperCut comes with a number of root certificates pre-installed that you can list using the following command (from the directory [app-path]/runtime/jre/bin ):
keytool -keystore ../lib/security/cacerts -storepass changeit -list
Add the option "-v" at the end to obtain the same list with more details, such as expiration dates.
If your certificate authority is not listed there, or you have been notified that they have recently started using new root certificates, first import the certificate authority's root certificate into your keystore before importing your newly obtained own certificate. The CA's root certificate is available for download on the CA's web site as a file ending on .pem or .crt. Save the file using a filename indicative of the CA's name, e.g. globaltrust.pem. Import the root certificate using this command, specifying an alias that is indicative of the CA's name (type this all in one line):
keytool -keystore [app-path]\server\custom\my-ssl-keystore -importcert -alias globaltrustroot -file globaltrustroot.pem
When asked whether to trust this certificate, answer yes:
Trust this certificate? [no]: yes
Some certificate authorities also provide additional "intermediate certificates" that must be imported the same way as the root certificate. You should use a different alias each time. For example:
keytool -keystore [app-path]\server\custom\my-ssl-keystore -importcert -alias globaltrustinter -file globaltrustinter.pem
Import your own certificate previously saved as jetty.crt (type this all in one line):
keytool -keystore [app-path]\server\custom\my-ssl-keystore -import -alias jetty -file jetty.crt -trustcacerts
Your new keystore file my-ssl-keystore is now ready.Caution:
The 'my-ssl-keystore' in the above command is the original my-ssl-keystore you created earlier.
Ensure the keystore file is in [app-path]/server/custom/.
Changes are not applied until the PaperCut NG/MF Application Server is restarted.
To configure the PaperCut Application Server to use the new key/certificate:
Copy your signed keystore onto the server running the PaperCut NG/MF Application Server. The suggested location is [app-path]/server/custom/my-ssl-keystore
Open the file [app-path]/server/server.properties with a text editor (e.g. Notepad).
Locate the section titled SSL Key/Certificate.
Remove the # (hash) comment marker from all lines starting with "server.ssl".
Define the following:
server.properties value Description server.ssl.keystore=custom/my-ssl-keystore The location of your keystore. This must match the value specified by -k in create-ssl-keystore. If you did not specify this value in create-ssl-keystore, leave it as default. server.ssl.keystore-password=default The keystore password. This must match the value specified by -keystorepass in create-ssl-keystore. If you did not specify this value in create-ssl-keystore, leave it as default. server.ssl.key-password=default The keystore key password. This must match the value specified by -keystorekeypass in create-ssl-keystore. If you did not specify this value in create-ssl-keystore, leave it as default.
NOTE: On Mac OS, for server.ssl.keystore, specify the FULL path to your keystore, e.g. /Applications/PaperCut NG/MF/server/custom/my-ssl-keystore
- Save the file.
Restart the PaperCut NG/MF Application Server and verify all is working. If the server fails to start, error messages are recorded in logs located in the server's logs directory.
Now that you have a working SSL certificate for your PaperCut NG/MF server, it's time to set a reminder in your calendar (or similar) to ensure that your SSL certificate is renewed before it expires! Go do that now!