You are here: Administration > Tools - database, server-command scripting, and APIs (Advanced) > Generate an SSL/HTTPS key > Use the PaperCut NG/MF self-signed certificate

Use the PaperCut NG/MF self-signed certificate

During the install process, PaperCut NG/MF generates a self-signed key/certificate issued for the host's machine name. This key is used by default when the system is accessed via HTTPS on port 9192.

The default SSL certificateSSL certificates are small data files that digitally bind a cryptographic key to an organization’s details, such as a company's domain name, your company name, your address, your city, your state and your country. When installed on a web server, it activates the padlock and the HTTPS protocol (over port 443) and allows secure connections from a web server to a browser. When a browser connects to a secure site it retrieves the site's SSL certificate and checks that it has not expired, it has been issued by a Certification Authority the browser trusts, and that it is being used by the website for which it has been issued. If it fails on any one of these checks the browser will display a warning to the end user letting them know that the site is not secured by SSL. SSL certificates can be either self-signed or CA signed. provides good security, however, if users access the HTTPS site using a fully-qualified domain, they will be presented with the “Domain mismatch warning”. You can customize the self-signed key/certificate to change a number of other attributes of the certificate, including preventing the “Domain mismatch warning” is not displayed.

Note:

The “Certificate has not been signed by a trusted authority” warning will still be displayed. To avoid that message, you need use a certificate signed by a trusted authority. For more information see Use a certificate signed by a trusted authority.

Steps:

  1. In a command line, navigate to the create-ssl-keystore tool:

    cd [app-path]/server/bin/win

  2. Run the create-ssl-keystore tool specifying the values you want to customize. See the table below for a list of the available arguments.

    create-ssl-keystore -f -k <keystore location> -sig <signature> -keystorepass <keystore password> -keystorekeypass <keystore key password> -bcCA <SYSTEM-NAME>

    For example, to stop the “Domain mismatch warning”, you need to specify the fully-qualified domain in the <SYSTEM-NAME> argument:

    create-ssl-keystore -f "myserver.fullname.com"

     

    Argument Description
    -f (force) Overwrite any existing keystore file.
    -k Define a keystore file location. If you don’t specify this value, the keystore is created in the default location (server/data/default-ssl-keystore).
    -sig SIGNATURE Specifies the algorithm that should be used for certificate signing.
    Valid values: [sha256 | sha1].
    If you don’t specify this value, sha1 is used for certificate signing.
    -keystorepass Specifies the password for the generated PaperCut NG/MF keystore. If you don’t specify this option, the keystore password is “default”.
    -keystorekeypass Specifies the password for the key stored in the generated PaperCut NG/MF keystore. If you don’t specify this option, the keystore key password is “default”.
    -bcCa Add the X.509 Basic Constraints CA extension.
    SYSTEM_NAME The name of the computer/server used to generate keystore. If you don’t specify this value, the current computer name is used.
    Tip:

    More information is available via the --help command line option.

  3. If you specified the -k, -keystorepass, or -keystorekeypass arguments:

    1. Open the file [app-path]/server/server.properties with a text editor (e.g. Notepad).

    2. Locate the section titled SSLSecure Sockets Layer (SSL) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. The protocol uses a third party, a Certificate Authority (CA), to identify one end or both end of the transactions. To be able to create an SSL connection a web server requires an SSL certificate. When you choose to activate SSL on your web server you will be prompted to complete a number of questions about the identity of your website and your company. Your web server then creates two cryptographic keys - a Private Key and a Public Key. Key/Certificate.

    3. Remove the # (hash) comment marker from the line starting with server.ssl.keystore=.

    4. Define the following properties:

      server.properties value Description
      server.ssl.keystore= The location of your keystore. This must match the value specified by -k in create-ssl-keystore. If you did not specify this value in create-ssl-keystore, leave it as default in the server.properties file.
      server.ssl.keystore-password= The keystore password. This must match the value specified by -keystorepass in create-ssl-keystore. If you did not specify this value in create-ssl-keystore, leave it as default in the server.properties file.
      server.ssl.key-password= The keystore key password. This must match the value specified by -keystorekeypass in create-ssl-keystore. If you did not specify this value in create-ssl-keystore, leave it as default in the server.properties file.

      NOTE: On Mac OS, for server.ssl.keystore, specify the FULL path to your keystore, e.g. /Applications/PaperCut NG/MF/server/custom/my-ssl-keystore

    5. Save the file.
  4. Restart the Application ServerAn Application Server is the primary server program responsible for providing the PaperCut user interface, storing data, and providing services to users. PaperCut uses the Application Server to manage user and account information, manage printers, calculate print costs, provide a web browser interface to administrators and end users, and much more..
Caution:

For backwards compatibility with 3rd party systems the default self-signed certificate is generated with a SHA1 algorithm. See Can I use other algorithms such as SHA2/SHA256?


Comments

Share your findings and experience with other PaperCut users. Feel free to add comments and suggestions about this Knowledge Base article. Please don't use this for support requests.