If you don’t already have a certificate signed by a trusted authority and you would like to use one, you need to purchase the signed certificate and then install it on PaperCut NG/MF.
Summary of how to purchase and install a signed SSL certificate:
Step 1: Create the SSL keystore and create the private key
-
Open a command prompt window and change to the directory
[app-path]/runtime/jre/bin. -
Delete any existing files called ‘my-ssl-keystore’ in this directory, as they are likely leftovers from previous attempts.
-
Enter the following command to produce the SSL key:
keytool -keystore [app-path]\server\custom\my-ssl-keystore -alias jetty -genkeypair -keyalg RSAYou will be asked a series of questions.
-
Answer the questions asked by the tool:
-
For keystore password, choose ‘password’ or another simple password, as it is not important. Enter the same password again later when asked for a key password.
-
for first and last name, enter the exact fully-qualified domain name of the PaperCut NG/MF Application Server. The server name must be the exact one that users will enter into their browsers to access PaperCut NG/MF’s web interface, for example, ‘printing.myschool.edu’.
-
Depending on the certification authority’s requirements, you might also need to fill in some of the other fields.
Enter keystore password: password What is your first and last name? [Unknown]: printing.myschool.edu What is the name of your organizational unit? [Unknown]: What is the name of your organization? [Unknown]: What is the name of your City or Locality? [Unknown]: What is the name of your State or Province? [Unknown]: What is the two-letter country code for this unit? [Unknown]: Is CN=printing.myschool.edu, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct? [no]: yes Enter key password for <jetty> (RETURN if same as keystore password): password
-
Step 2: Submit the Certificate Signing Request (CSR)
-
Prepare your new SSL key for certification by the certificate authority:
keytool -certreq -alias jetty -keystore [app-path]\server\custom\my-ssl-keystore -file [app-path]\server\custom\jetty.csr -
Paste the contents of the resulting
jetty.csrinto the online order forms of commercial certificate authorities or pass them to your organization’s own certificate authority.When the certification process has completed, the authority provides you with a certificate file that you can download from the authority’s web site. The filename usually ends in
.crt,.ceror.cert. The contents of the file should look something like this:-----BEGIN CERTIFICATE----- MIIDLTCCApagAwIBAgIQJc/MOTjAW0HrPI/4rGtDCDANBgkqhkiG9w0BAQUFADCB hzELMAkGA1UEBhMCWkExIjAgBgNVBAgTGUZPUiBURVNUSU5HIFBVUlBPU0VTIE9O ... more here ... Awjhfz9EfxN2l1UYP15xZZyNO4DO3X/LliCG9pdFf4hUHl8tRnhQBvRR1F0v9UHB PC6L9jNjMbQUoQ9NG/S8Nn7ZcSHNy+P53ntIBaEfTv7+qvXNWvSb5wj4pd05wGF1 Bw== ----- END CERTIFICATE----- -
Save the file as
jetty.crt.
Step 3: Install the certificate(s)
-
Before you can make use of your newly obtained certificate, you might have to import the certificate authorities “root certificate”. PaperCut comes with a number of root certificates pre-installed that you can list using the following command (from the directory
[app-path]/runtime/jre/bin):keytool -keystore /ng-mf/lib/security/cacerts -storepass changeit -listAdd the option “-v” at the end to obtain the same list with more details, such as expiration dates.
If your certificate authority is not listed there, or you have been notified that they have recently started using new root certificates, first import the certificate authority’s root certificate into your keystore before importing your newly obtained own certificate.
The CA’s root certificate is available for download on the CA’s web site as a file ending on
.pemor.crt. Save the file using a filename indicative of the CA’s name, for example,globaltrust.pem. Import the root certificate using this command, specifying analiasthat is indicative of the CA’s name (type this all in one line):keytool -keystore [app-path]\server\custom\my-ssl-keystore -importcert -alias globaltrustroot -file globaltrustroot.pemWhen asked whether to trust this certificate, answer yes:
Trust this certificate? [no]: yesSome certificate authorities also provide additional “intermediate certificates” that must be imported the same way as the root certificate. You should use a different
aliaseach time. For example:keytool -keystore [app-path]\server\custom\my-ssl-keystore -importcert -alias globaltrustinter -file globaltrustinter.pem -
Import your own certificate previously saved as
jetty.crt(type this all in one line):keytool -keystore [app-path]\server\custom\my-ssl-keystore -import -alias jetty -file jetty.crt -trustcacertsYour new keystore file
my-ssl-keystoreis now ready. -
Ensure the keystore file is in
[app-path]/server/custom/.
Step 4: Configure the PaperCut NG/MF keystore
To configure the PaperCut Application Server to use the new key/certificate:
-
Copy your signed keystore onto the server running the PaperCut NG/MF Application Server. The suggested location is
[app-path]/server/custom/my-ssl-keystore -
Open the file
[app-path]/server/server.propertieswith a text editor (e.g.Notepad). -
Locate the section titled
SSL Key/Certificate. -
Remove the
#(hash) comment marker from all lines starting with:server.ssl.keystore=server.ssl.keystore-password=server.ssl.key-password= -
Define the following:
server.properties value Description server.ssl.keystore
The location of your keystore. This must match the value specified by
-kincreate-ssl-keystore.If you did not specify this value in
create-ssl-keystore, leave it as default.server.ssl.keystore-password
The keystore password. This must match the value specified by
-keystorepassin create-ssl-keystore.If you did not specify this value in
create-ssl-keystore, leave it as default.server.ssl.key-password
The keystore key password. This must match the value specified by
-keystorekeypassin create-ssl-keystore.If you did not specify this value in
create-ssl-keystore, leave it as default. -
Save the file.
-
Restart the PaperCut NG/MF Application Server.
Comments