Choose your language

Choose your login

Support

Purchase and install a new trusted certificate

This page applies to:

If you don’t already have a certificate signed by a trusted authority and you would like to use one, you need to purchase the signed certificate and then install it on PaperCut NG/MF.

Summary of how to purchase and install a signed SSL certificate:

  1. Create the SSL keystore and create the private key .

  2. Submit the Certificate Signing Request (CSR) .

  3. Install the certificate(s) .

  4. Configure the PaperCut NG/MF keystore .

Step 1: Create the SSL keystore and create the private key

  1. Open a command prompt window and change to the directory [app-path]/runtime/jre/bin.

  2. Delete any existing files called ‘my-ssl-keystore’ in this directory, as they are likely leftovers from previous attempts.

  3. Enter the following command to produce the SSL key:

    keytool -keystore [app-path]\server\custom\my-ssl-keystore -alias jetty -genkeypair -keyalg RSA
    

    You will be asked a series of questions.

  4. Answer the questions asked by the tool:

    • For keystore password, choose ‘password’ or another simple password, as it is not important. Enter the same password again later when asked for a key password.

    • for first and last name, enter the exact fully-qualified domain name of the PaperCut NG/MF Application Server. The server name must be the exact one that users will enter into their browsers to access PaperCut NG/MF’s web interface, for example, ‘printing.myschool.edu’.

    • Depending on the certification authority’s requirements, you might also need to fill in some of the other fields.

      Enter keystore password: password
      What is your first and last name?
      [Unknown]: printing.myschool.edu
      What is the name of your organizational unit?
      [Unknown]:
      What is the name of your organization?
      [Unknown]:
      What is the name of your City or Locality?
      [Unknown]:
      What is the name of your State or Province?
      [Unknown]:
      What is the two-letter country code for this unit?
      [Unknown]:
      Is CN=printing.myschool.edu, OU=Unknown, O=Unknown,
      L=Unknown, ST=Unknown, C=Unknown correct?
      [no]: yes
      Enter key password for <jetty>
      (RETURN if same as keystore password): password
      

Step 2: Submit the Certificate Signing Request (CSR)

  1. Prepare your new SSL key for certification by the certificate authority:

    keytool -certreq -alias jetty -keystore [app-path]\server\custom\my-ssl-keystore
    -file [app-path]\server\custom\jetty.csr
    
  2. Paste the contents of the resulting jetty.csr into the online order forms of commercial certificate authorities or pass them to your organization’s own certificate authority.

    When the certification process has completed, the authority provides you with a certificate file that you can download from the authority’s web site. The filename usually ends in .crt, .cer or .cert. The contents of the file should look something like this:

    -----BEGIN CERTIFICATE-----
    MIIDLTCCApagAwIBAgIQJc/MOTjAW0HrPI/4rGtDCDANBgkqhkiG9w0BAQUFADCB
    hzELMAkGA1UEBhMCWkExIjAgBgNVBAgTGUZPUiBURVNUSU5HIFBVUlBPU0VTIE9O
     ... more here ...
    Awjhfz9EfxN2l1UYP15xZZyNO4DO3X/LliCG9pdFf4hUHl8tRnhQBvRR1F0v9UHB
    PC6L9jNjMbQUoQ9NG/S8Nn7ZcSHNy+P53ntIBaEfTv7+qvXNWvSb5wj4pd05wGF1
    Bw==
    -----
    END CERTIFICATE-----
    
  3. Save the file as jetty.crt.

Step 3: Install the certificate(s)

  1. Before you can make use of your newly obtained certificate, you might have to import the certificate authorities “root certificate”. PaperCut comes with a number of root certificates pre-installed that you can list using the following command (from the directory [app-path]/runtime/jre/bin ):

    keytool -keystore /ng-mf/lib/security/cacerts -storepass changeit -list
    

    Add the option “-v” at the end to obtain the same list with more details, such as expiration dates.

    If your certificate authority is not listed there, or you have been notified that they have recently started using new root certificates, first import the certificate authority’s root certificate into your keystore before importing your newly obtained own certificate.

    The CA’s root certificate is available for download on the CA’s web site as a file ending on .pem or .crt. Save the file using a filename indicative of the CA’s name, for example,globaltrust.pem. Import the root certificate using this command, specifying an alias that is indicative of the CA’s name (type this all in one line):

    keytool -keystore [app-path]\server\custom\my-ssl-keystore -importcert -alias globaltrustroot -file globaltrustroot.pem
    

    When asked whether to trust this certificate, answer yes:

    Trust this certificate? [no]: yes
    

    Some certificate authorities also provide additional “intermediate certificates” that must be imported the same way as the root certificate. You should use a different alias each time. For example:

    keytool -keystore [app-path]\server\custom\my-ssl-keystore -importcert -alias globaltrustinter -file globaltrustinter.pem
    
  2. Import your own certificate previously saved as jetty.crt (type this all in one line):

    keytool -keystore [app-path]\server\custom\my-ssl-keystore -import -alias jetty -file jetty.crt -trustcacerts
    

    Your new keystore file my-ssl-keystore is now ready.

  3. Ensure the keystore file is in [app-path]/server/custom/.

Step 4: Configure the PaperCut NG/MF keystore

To configure the PaperCut Application Server to use the new key/certificate:

  1. Copy your signed keystore onto the server running the PaperCut NG/MF Application Server. The suggested location is [app-path]/server/custom/my-ssl-keystore

  2. Open the file [app-path]/server/server.properties with a text editor (e.g. Notepad).

  3. Locate the section titled SSL Key/Certificate.

  4. Remove the # (hash) comment marker from all lines starting with:

    server.ssl.keystore=

    server.ssl.keystore-password=

    server.ssl.key-password=

  5. Define the following:

    server.properties valueDescription

    server.ssl.keystore

    The location of your keystore. This must match the value specified by -k in create-ssl-keystore.

    If you did not specify this value in create-ssl-keystore, leave it as default.

    server.ssl.keystore-password

    The keystore password. This must match the value specified by -keystorepass in create-ssl-keystore.

    If you did not specify this value in create-ssl-keystore, leave it as default.

    server.ssl.key-password

    The keystore key password. This must match the value specified by -keystorekeypass in create-ssl-keystore.

    If you did not specify this value in create-ssl-keystore, leave it as default.

  6. Save the file.

  7. Restart the PaperCut NG/MF Application Server.

Comments