Skip to content

Choose your language

  • No results

Choose your login

  • No results
Support

How can we help?

PaperCut's AI-generated content is continually improving, but it may still contain errors. Please verify as needed.

Lightbulb icon
Lightbulb icon

Here’s your answer

Sources:

* PaperCut is constantly working to improve the accuracy and quality of our AI-generated content. However, there may still be errors or inaccuracies, we appreciate your understanding and encourage verification when needed.

Lightbulb icon

Oops!

We currently don’t have an answer for this and our teams are working on resolving the issue. If you still need help,
User reading a resource

Popular resources

Help center

FAQs
Conversation bubbles

Contact us

Search

Configure Mobility Print to use a trusted TLS/SSL Certificate

This page applies to:

This article walks you through taking an existing SSL/TLS certificate and converting it to a common format (tls.cer and tls.pem) so that it can be used by the Mobility Print server to secure connections and print traffic.

Why use a trusted SSL certificate?

While the Mobility Print server has a self-signed certificate already installed, customers can take security a step further by installing a signed and trusted certificate from a recognized Certificate Authority (CA). Installing a trusted certificate does more than make browser warnings go away — these allow clients to verify the identity of the Mobility Print server by providing a digital signature from a trusted third party, assuring users that they are interacting with a legitimate source, and mitigating the risk of man-in-the-middle attacks. This benefits admins accessing the Mobility Print server web interface through the browser, as well as users connecting to a Mobility Print server to authenticate and submit print jobs.

Supported key formats

Mobility Print server version 1.0.3103 and later supports certificates and a variety of key formats. These need to be encoded in PEM format and the keys must not be password-encrypted.

  • PKCS#8 private keys: Typically contain a “BEGIN PRIVATE KEY” header (based on RSA or EC).
  • PKCS#1 private keys: Typically contain a “BEGIN RSA PRIVATE KEY” header (RSA keys).
  • Elliptic Curve (EC) private keys: Typically contain a “BEGIN EC PRIVATE KEY” header.
  • PEM key data: Can include PEM parameter blocks (e.g., “BEGIN EC PARAMETERS”).

Step 1: Prepare your certificate

The Mobility Print server requires the certificate and key to be stored in two files, tls.cer and tls.pem.

This step assumes you already have a certificate generated for the server running Mobility Print and discusses a few different options to convert the certificate and key to the necessary format.

Option A: Re-use the Same Certificate as PaperCut NG/MF [Recommended]

Existing PaperCut NG & MF customers that have already generated a certificate for their server following our guide Installing an SSL Certificate may be able to reuse that certificate so long as:

  • the Mobility Print service runs on the same server as PaperCut NG/MF so it has the same hostname or common name
  • you have a wildcard certificate, which should be valid for any server with the same domain name.

Steps:

  1. Open the Keystore used by the PaperCut App server with Keystore Explorer.
  2. Select Open an existing KeyStore.
  3. On the PaperCut NG/MF application, navigate to your custom keystore. (On a 64-bit Windows PaperCut MF server, this path is C:\Program Files\PaperCut MF\server\custom).
  4. Right-click on the entry for the certificate:
    • Select Export > Export Certificate Chain.
    • Set the Export Length option to Head Only.
    • Change the filename to tls.cer.
    • Select Export.
  5. Right-click on the entry for the certificate:
    • Select Export > Export Private Key.
    • Select OpenSSL as the Private Key Type.
    • Uncheck Encrypt and rename the file to tls.pem.
  6. Select Export.

With tls.pem and tls.cer files in hand, jump ahead to Configure the Mobility Print Server .
Option B: Re-use a certificate from my server’s certificate store

If the server running Mobility Print already has an existing trusted certificate you can export the certificate and private key from the server’s Certificate Store on Windows, or Keystore on macOS. Then use a tool like OpenSSL to convert the exported files to PEM format.

Windows Certificate Store

  1. On the server, open the certmgr.msc tool.
  2. Right-click on your certificate, choose All tasks, then Export.
  3. Follow the prompts to export your certificate in the PKCS#12 format.
  4. Convert the certificate to the required format by following the steps in Option C: Convert from a .p12/.pfx File.

macOS certificate store

  1. Open Keychain Access on your macOS system.
  2. Under System, click the My Certificates tab.
  3. Right-click on the desired certificate and select Export.
  4. Choose Personal Information Exchange (.P12).
  5. Convert the certificate to the required format by following the steps in Option C: Convert from a .p12/.pfx File.

With tls.pem and tls.cer files in hand, jump ahead to Configure the Mobility Print Server .
Option C: Convert from a .p12/.pfx file

If you already have a certificate with a .p12 or .pfx file extension, and you’re comfortable with the command line and 3rd party tools like OpenSSL , you can use the following commands to convert your certificate to the required format.

  1. Extract the certificate and private key using OpenSSL:
    openssl pkcs12 -in certificate.pfx -nocerts -out priv.pem
  2. Remove the passphrase from the private key:
    openssl rsa -in priv.pem -out tls.pem
  3. Extract the certificate from the .pfx file:
    openssl pkcs12 -in certificate.pfx -nokeys -out tls.cer

With tls.pem and tls.cer files in hand, jump ahead to Configure the Mobility Print Server .

Step 2: Configure the Mobility Print server

  1. On the server running Mobility Print, navigate to C:\<Mobility Print install path>\data\.
  2. Back up of the current tls.pem and tls.cer files by moving them to another folder or renaming them.
  3. Copy and paste your new tls.pem and tls.cer files into this directory.
  4. Restart the Mobility Print service or simply restart the server for the change to take effect.
  5. Test your certificate:
    • Open a web browser and navigate to the URL https://<YourMobilityServerName>:9164, where <YourMobilityServerName> matches the Common Name specified in your certificate.
    • If there are no errors when accessing the page, the certificate is valid.
  6. (Recommended) Follow the instructions to Configure the Accessible IP address of the Mobility Print server . Set this value to the Common Name (CN) or Subject Area Name (SAN) on your certificate. The Mobility Print server uses this parameter to advertise its address to other PaperCut components like the PaperCut NG/MF server, so setting this to match the certificate will prevent certificate errors in specific scenarios.

Step 3: Enhance print security

Following the above steps to install a signed certificate on your Mobility Print server enhances security by mitigating man-in-the-middle attacks. Additionally, clients will now use the new trusted certificate to set up secure connections to the Mobility Print server to submit print jobs.

While most Mobility Print clients automatically submit print jobs securely using HTTPS, the exact behavior depends on the client operating system and the discovery method selected used by the client to discover the Mobility Print server. Environments with Windows clients in particular should take note.

iOS, macOS, Android, and Chrome clients

The print connection is automatically encrypted whether or not a trusted certificate is installed.

Windows clients

  • Cloud Print - The print connection is automatically encrypted whether or not a trusted certificate is installed.
  • Known Host - When a certificate is installed and the discovery method is set to Known Host, now when a new printer is added Windows clients will establish a secure connection using the signed certificate to submit print jobs securely. Make sure that the address configured for Known Host printer discovery is matches the Subject Area Name (SAN) or Common Name on the certificate. With this change, the client name will now include the https-strict parameter, instructing the client to set up a secure print connection. For example: pc-mobility-print-printer-setup-1.0.329[https-strict_mobilityprintsrv01.domain.org.exe.

    Although not recommended, this new behavior can be toggled off for testing purposes with the following steps:
    1. On the Mobility Print server, open a text editor such as Notepad with local admin rights.
    2. Navigate to [application-directory]\PaperCut Mobility Print\ and open the file mobility-print.conf.toml. (For example, on a 64-bit Windows machine, this path is C:\Program Files (x86)\PaperCut Mobility Print\mobility-print.conf.toml).
    3. Find the line “PreferHTTPSInKnownHostMode = true” and change this to “PreferHTTPSInKnownHostMode = false”
    4. Save the file.
    5. Restart the Mobility Print service ( restart the service ) or restart the server for the change to take effect.
  • DNS - after installing the certificate, admins need to take one more step to ensure that Windows clients use the signed certificate to set up a secure connection. This isn’t enabled by default because during printer discovery over DNS, clients might be connecting to the Mobility Print server with a different network address than the one configured on the certificate, which could cause a certificate validation error. Because of challenges with troubleshooting, we recommend secure environments use the Known Host or Cloud Print discovery options.

    To enable HTTPS and certificate checking with Windows printing using the DNS discovery method follow the steps below:
    1. On the Mobility Print server, open a text editor such as Notepad with local admin rights.
    2. Navigate to [application-directory]\PaperCut Mobility Print\ and open the file mobility-print.conf.toml. (For example, on a 64-bit Windows machine, this path is C:\Program Files (x86)\PaperCut Mobility Print\mobility-print.conf.toml).
    3. Find the line “PreferHTTPSInDNSMode = false” and change this to “PreferHTTPSInDNSMode = true”
    4. Save the file.
    5. Restart the Mobility Print service ( restart the service ) or restart the server for the change to take effect.
    6. Download and run the Windows Mobility Print Client to attempt to connect to the server and install printers. Should you encounter problems, we recommend trying the Known Host or Cloud Print methods to share printers.
  • mDNS - Windows clients will not set up a secure print connection when using this discovery option. The technical reason why is that the mDNS protocol uses .local addresses and it’s not possible to obtain a signed certificate for that domain. While it’s possible to generate a private certificate to install on the server and all the clients, this isn’t practical in a BYOD environment. If print security from Windows clients is paramount, consider another option like Mobility Cloud Print.

Comments