Enable SSL certificate checking

Overview

When the Print Deploy client connects to the Print Deploy server with an untrusted certificate, the default behavior is for the client to proceed with the communication.

You can change this behavior by enabling strict SSL checking. If the server has an untrusted certificate, the client will stop communication with the server .

This is particularly useful in environments where users don't have privileges to install certificates on their own computers and require an admin to push out a trusted certificate instead.

Enabling strict SSL checking

Minimum requirements

  • Print Deploy v1.2.1077 (released on Feb 27 2020)
  • PaperCut NG/MF 19.1
NOTE

We recommend doing this configuration change before deploying the clients. If you have already done so, you can still make this change except Step 3 is no longer relevant unless you redeploy the clients.

Step 1: Set up a trusted certificate for Print Deploy.

If you haven't done so, follow the instructions in Enhance Print Deploy security with a CA-signed certificate for setting up a proper certificate for your Print Deploy server

Step 2: Enable the StrictSSLCheckingEnabled configuration key

To enable strict SSL checking, add or update the line StrictSSLCheckingEnabled = true in the server's client.conf.toml file, located in: [application-server-path]\providers\print-deploy\{os}\data\config.

We recommend applying this configuration before deploying the clients. However, if you have already done so, you can still change the configuration on the server at any time. The clients will ignore checking SSL certificates until they receive a configuration from the server where StrictSSLCheckingEnabled is true

Any changes to this configuration require a restart of the PaperCutPrint Deploy service. For details, see the instructions on how to restart the Print Deploy server.

NOTE

For more information on client configuration, see Configure the client

Step 3 (Optional but recommended): Deploy the clients with the installer flag STRICT_SSL set to true.

This will ensure that the first connection the client makes to the server is protected by a certificate verification check.

If deploying an MSI, run the installer as follows:

msiexec /i pc-printer-deployment-client-installer.msi server_host={insert your print deploy server host here} strict_ssl=true

If deploying the client DMG with an MDM tool, include a .plist file with the property STRICT_SSL set to true

NOTE

If you don't specify this flag during installation, the clients will ignore checking SSL certificates until they receive a configuration from the server where StrictSSLCheckingEnabled is true. This is set to false by default during installation.