Implement a Trusted SSL Certificate for the Mobility Print Administrator Interface

About Mobility Print and Certificates

By default, the Mobility Print server will use a self-signed certificate. While the self-signed certificate secures communication, using one means that users browsing to the Mobility Print Help Center on your server using HTTPS will see an untrusted certificate error ¹ .

If this worries you, however, there are two different solutions.

1. Consider sharing the link with your users instead to our Mobility Print Help Center which shows users how they can use Mobility Print on their devices. Our public page uses a trusted certificate that’s securely reachable over port 443.

2. It is also possible to install a custom certificate on your Mobility Print server, which allows admins and users to access the web interface of the server with HTTPS without facing a certificate error. Below we describe two different ways to create the certificate files and install them on the Mobility Print server using either Keystore Explorer or OpenSSL.

3. What is PEM Format?

   PEM or Privacy Enhanced Mail is a Base64 encoded DER certificate. PEM certificates are frequently used for web servers as they can easily be translated into readable data using a simple text editor. Generally when a PEM encoded file is opened in a text editor, it contains very distinct headers and footers. Below are some examples of different files in PEM format.

    -----BEGIN CERTIFICATE REQUEST-----
    MIIB9TCCAWACAQAwgbgxGTAXBgNVBAoMEFF1b1ZhZGlzIExpbWl0ZWQxHDAaBgNV
    BAsME0RvY3VtZW50IERlcGFydG1lbnQxOTA3BgNVBAMMMFdoeSBhcmUgeW91IGRl
    Y29kaW5nIG1lPyAgVGhpcyBpcyBvbmx5IGEgdGVzdCEhITERMA8GA1UEBwwISGFt
    aWx0b24xETAPBgNVBAgMCFBlbWJyb2tlMQswCQYDVQQGEwJCTTEPMA0GCSqGSIb3
    DQEJARYAMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCJ9WRanG/fUvcfKiGl
    EL4aRLjGt537mZ28UU9/3eiJeJznNSOuNLnF+hmabAu7H0LT4K7EdqfF+XUZW/2j
    RKRYcvOUDGF9A7OjW7UfKk1In3+6QDCi7X34RE161jqoaJjrm/T18TOKcgkkhRzE
    apQnIDm0Ea/HVzX/PiSOGuertwIDAQABMAsGCSqGSIb3DQEBBQOBgQBzMJdAV4QP
    Awel8LzGx5uMOshezF/KfP67wJ93UW+N7zXY6AwPgoLj4Kjw+WtU684JL8Dtr9FX
    ozakE+8p06BpxegR4BR3FMHf6p+0jQxUEAkAyb/mVgm66TyghDGC6/YkiKoZptXQ
    98TwDIK/39WEB/V607As+KoYazQG8drorw==
    -----END CERTIFICATE REQUEST-----
   

   Above is the example of a CSR (certificate signing request) in PEM format. You can see that PEM has the characteristics of containing a header, the body (which consists mainly of code) and footer. The header and footer is what identifies the type of file, however, be aware that not all PEM files necessarily need them.\

    -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- show a CSR in PEM format
    -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- show a private key in PEM format
    -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- show a certificate file in PEM format
   

Common Situations

• I already have my certificate.crt, priv.pem, & additional .crt’s
• I have an encrypted .p12/.pfx file already
• I want to use a certificate from my Server’s Certificate Store
• I want to use the certificate that my PaperCut App server is using

I already have my certificate.crt, priv.pem, & additional .crt’s

If you have more than one certificate, we’ll need to combine them into one certificate file. The private key can sit this one out!

1. Create a new text file with the name and extension as tls.crt

   Example:

   certificate_chain.crt

2. In your new tls.crt file, stack all 3 certificates -one after the other and save the file

3. The order of the certificates starts from the domain and up towards the root

   • Domain certificate
   • Intermediate certificate 1 above domain
   • Intermediate certificate 2 above that (rinse, wash, repeat)
   • Root certificate

4. You must include all certificates up to and including root.

   Example of merging certificates:

    -----BEGIN CERTIFICATE-----
    MIIGvTCCBaWgAwIBAgIQBsyeRo2C7ECRbEpmpu+mazANBgkqhkiG9w0BAQUFADBI
    .
    .
    .
    MDEyMDAwMFowgYcxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhNYXJ5bGFuZDESMBAG
    v+PMGxmcJcqnBrJT3yOyzxIZow==
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIEjzCCA3egAwIBAgIQBp4dt3/PHfupevXlyaJANzANBgkqhkiG9w0BAQUFADBh
    .
    .
    .
    slXkLGtB8L5cRspKKaBIXiDSRf8F3jSvcEuBOeLKB1d8tjHcISnivpcOd5AUUUDh
    v+PMGxmcJcqnBrJT3yOyzxIZow==
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
    .
    .
    .
    CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
    -----END CERTIFICATE----
   

5. Once you have your new tls.crt, copy it and your tls.pem

6. Proceed to Configure the Mobility Print Server certificate

I have an encrypted .p12/.pfx file already

The certificate and private key used by the PaperCut Mobility Print server for SSL connections are encoded in PEM format (.crt,.cer,.pem) and not a certificate archive (.p12/.pfx).

1. Export the existing certificate archive and private key (security-risk) ² to PEM-encoded format via OpenSSL

   [Export the private key from the encrypted certificate]

   openssl pkcs12 -in mycert.pfx -nocerts -out priv.pem

   [Remove the Passphrase]

   openssl rsa -in priv.pem -out priv-unlocked.pem

   [Export the certificate from the encrypted certificate bundle]

   openssl pkcs12 -in certname.pfx -nokeys -out certificate.cer

2. Proceed to Configure the Mobility Print Server certificate

I want to use a certificate from my Server’s Certificate Store

The process depends on the type of OS you have, we’ll provide our two most common server OS’ ³ .

Windows Certificate Store

1. Export the certificate and key as a .pfx archive
   1. Skip this step if you already have a .pfx file
   2. Check out our knowledge base article Export the existing trusted certificate and key on how to do this
2. Export the PEM-encoded key and certificate as described in I have an encrypted .p12/.pfx file already

macOS

1. Open Keychain Access on your macOS system
2. Find your desired certificate under System
3. Right-click your certifcate > Select Export
   1. If you opt to utilize an export password, notate this information securely
4. Export the PEM-encoded key and certificate as described below.

Utilize the certificate the PaperCut App server is using

You may already be familiar with Keystore Explorer if you followed our guide Installing an SSL Certificate the Easy Way . You might be able to reuse that certificate if:

1. Mobility Print is installed on the same server where PaperCut is running.
2. You have a wildcard certificate, which should be valid for any server with the same domain name.

If either apply, follow these steps:

1. Open the Keystore used by the PaperCut App server with Keystore Explorer .

2. Select Open an existing KeyStore, navigate to your custom keystore within the App Server

   Example KeyStore path:

   [app-data]/PaperCut <Product>/server/custom/myfavoritekeystore

3. Right-Click on the entry for the certificate

   1. Select Export -> Export Certificate Chain.
   2. Set the Export Length option to Head Only
   3. Change the filename to tls.cer
   4. Select Export

4. Right-Click on the entry for the certificate

   1. Select Export -> Export Private Key.
   2. Select OpenSSL as the Private Key Type.
   3. Uncheck Encrypt and rename the file to tls.pem
   4. Select Export

5. Proceed to Configure the Mobility Print Server certificate

Configure the PaperCut Mobility Print Server certificate

1. Stop the PaperCut Mobility Print service (pc-mobility-print)

2. Navigate to your PaperCut Mobility Print data folder and locate your default certificate and private key

    [[app-data]/PaperCut Mobility Print/data/]
   
     - tls.cer
     - tls.pem
   

3. Backup the existing tls.pem and tls.cer files by appending the filename with .bak.

4. Copy your new tls.pem and tls.cer files to the data folder

5. Ensure to rename your files to the following, otherwise Mobility Print will fail to start!

    - tls.cer
    - tls.pem
   

1. Restart the Mobility Print Server’s Operating System or restart the service .

2. Navigate to the web interface of the Mobility Print server using https://<yourmobilityservername>:9164/ to test the new certificate.

3. Lastly, we recommend setting the AccessibleIP address configuration key . You’ll want to set this to the Common Name (CN) or Subject Area Name (SAN) on your certificate.

   1. Why? Mobility Print uses this value in a few different areas to advertise it’s address. Utilizing this setting will prevent some situations where users get a certificate error in the browser because they accessed the server by IP address and not hostname

Supported certificate and private key formats

As of Mobility Print Server version v1.0.3103 , Mobility Print supports certificates with a variety of key formats ⁴ .

• The certificate and private key need to be encoded in PEM format
  • The keys cannot be password encrypted
• PKCS#8 private keys
  • based on RSA or EC
  • typically contain the -----BEGIN PRIVATE KEY----- header
• PKCS#1 private keys
  • RSA keys
  • typically contain the -----BEGIN RSA PRIVATE KEY----- header
• Private keys based on Elliptic Cryptography (EC)
  • typically contain the -----BEGIN EC PRIVATE KEY----- header
• PEM key data can contain PEM parameter blocks
  • i.e. -----BEGIN EC PARAMETERS-----

Still have questions?

Let us know! We’d be happy to chat about how Mobility Print works.

Feel free to leave a comment or question by visiting our Support Portal !
Also, check out the Mobility Print Help Center ❤️

Appendix

¹ It’s important to point out that, generally, this isn’t a problem. Users aren’t exchanging their credentials with the Mobility Print server through the web interface, and admins can simply click through the certificate error to get to the login page of the server and the traffic will still be encrypted.

² Please note, performing step #1 will output your files into a readable format, keep these files safe like real keys!

³ To expose the certificate(s) within the archive, you’ll need the original archive’s (.p12/.pfx) password.

⁴ Prior to v1.0.3103 the private key format was limited and we have heard of customers following these instructions only to discover that when they try to print from Chromebooks, users will see an error in the browser: “Printing failed. Please check your printer and try again.” If that is happening, then these log messages should be present in the Mobility Print Server logs :

2020/07/16 09:39:40 mobility-print.exe: STDOUT|ERROR: Requested to decrypt but private key is not present {"src":"cert.go:161"}
2020/07/16 09:39:40 mobility-print.exe: STDOUT|ERROR: Error decrypting document name, err=private key not found {"src":"chrome_encryption.go:99"}
2020/07/16 09:39:40 mobility-print.exe: STDOUT|ERROR: Failed to decrypt document: {"client":"chrome","err":{}} {"src":"printing.go:133"}

This has been observed when the private key is not correctly formatted for Mobility Print. A temporary solution is to revert back to using the default self-signed certificate bundled with Mobility Print.