Extended keytool.exe usage
This documentation provides the more common scenarios around keytool.exe usage. If you require further customization, review the documentation available from Oracle:
PaperCut NG/MF version 15.2 and newer: Java 8 (1.8) keytool Documentation
PaperCut NG/MF version 14.0 and newer: Java 7 (1.7) keytool Documentation
PaperCut NG/MF version 13.5 and older: Java 6 (1.6) keytool Documentation
Can I have more than one hostname / FQDN?
One of the benefits of using an SSL certificate is making sure that the URL matches the certificate, preventing a 3rd party from masquerading as you. If you have more than one URL or Fully Qualified Domain Name (FQDN) that PaperCut NG/MF is available from, then you have two main options:
Obtain a “wildcard” certificate from your Certificate Authority. Contact your Certificate Authority for further details as to this service.
Use a “Subject Alternative Name” or “SAN” when creating the SSL certificate. This should require no special action from your Certificate Authority as this is done as part of the certificate generation process with keytool.exe.
An example is:
keytool.exe -keystore "[app-path]/server/custom/my-ssl-keystore" -alias jetty -genkeypair -keyal RSA -ext san=dns:external.company.com
Then, when asked for your “first and last name”, enter the other FQDN:
What is your first and last name? [Unknown]: internal.company.lan
Confirm that the information is correct. You will see similar to:
Is CN=internal.company.lan, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
Once you have received your certificate from your Certificate Authority you can confirm your “Subject” and “Subject Alternative Name” are valid. Make sure that you test the new certificate with multiple operating systems, browsers and hardware environments including laptops, mobile devices and printers/copiers.
Can I use other algorithms, such as SHA2/SHA256?
Yes. As we use keytool.exe, you can use the documentation above in Extended keytool.exe usage.
For example, generating the private SSL key:
keytool -genkey -alias server -keyalg rsa -sigalg sha256withrsa -keysize 2048 -keystore sha256
and generating the CSR:
keytool -certreq -alias server -keystore sha256 -file 256.csr -sigalg sha256withrsa