Skip to content

Choose your language

  • No results

Choose your login

  • No results
Support

How can we help?

PaperCut's AI-generated content is continually improving, but it may still contain errors. Please verify as needed.

Lightbulb icon
Lightbulb icon

Here’s your answer

Sources:

* PaperCut is constantly working to improve the accuracy and quality of our AI-generated content. However, there may still be errors or inaccuracies, we appreciate your understanding and encourage verification when needed.

Lightbulb icon

Oops!

We currently don’t have an answer for this and our teams are working on resolving the issue. If you still need help,
User reading a resource

Popular resources

Help center

FAQs
Conversation bubbles

Contact us

Search

Enable SSL certificate checking

This page applies to:

When the Print Deploy client connects to the Print Deploy server with an untrusted certificate, the default behavior is for the client to proceed with the communication.

You can change this behavior by enabling strict SSL checking. If the server has an untrusted certificate, the client will stop communication with the server .

This is particularly useful in environments where users don’t have privileges to install certificates on their own computers and require an admin to push out a trusted certificate instead.

Enabling strict SSL checking

Minimum requirements

  • Print Deploy v1.2.1077 (released on Feb 27 2020)
  • PaperCut NG/MF 19.1

Step 1: Set up a trusted certificate for Print Deploy.

If you haven’t done so, follow the instructions in Enhance Print Deploy security with a CA-signed certificate for setting up a proper certificate for your Print Deploy server

Step 2: Enable the StrictSSLCheckingEnabled configuration key

To enable strict SSL checking, add or update the line StrictSSLCheckingEnabled = true in the server’s client.conf.toml file, located in: [application-server-path]\providers\print-deploy\[os]\data\config.

We recommend applying this configuration before deploying the clients. However, if you have already done so, you can still change the configuration on the server at any time. The clients will ignore checking SSL certificates until they receive a configuration from the server where StrictSSLCheckingEnabled is true

Any changes to this configuration require a restart of the PaperCutPrint Deploy service. For details, see the instructions on how to restart the Print Deploy server .

This will ensure that the first connection the client makes to the server is protected by a certificate verification check.

Windows

If deploying an MSI, run the installer as follows:

msiexec /i pc-printer-deployment-client-installer.msi server_host={insert your print deploy server host here} strict_ssl=true

macOS

If deploying the client DMG with an MDM tool, include a .plist file named com.papercut.printdeploy.client.plist with the property strict_ssl set to "true". Note that strict_ssl must be lowercase.

The .plist file should be placed in the following location: /Library/Managed Preferences/.

Example:

Note: replace {PD-server-hostname}in the example below, with your Print Deploy server hostname.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>server_host</key>
    <string>{PD-server-hostname}</string>
    <key>server_port</key>
    <integer>9174</integer>
    <key>server_scheme</key>
    <string>https</string>
    <key>skip_dpm</key>
    <string>false<string/>
    <key>strict_ssl</key>
    <string>true</string>
</dict>
</plist>

Linux

  • For .rpm based distributions: sudo STRICT_SSL=true yum localinstall <client-installer>\[<hostname>\].rpm
  • For .deb based distributions: sudo STRICT_SSL=true dpkg -i <client-installer>\[<hostname>\].deb

Step 4: Enforce certificate validation for Print Deploy client auto-updates

Note: this section does not apply for Linux PD clients

When updates to Print Deploy are released, the Print Deploy client automatically fetches these updates from Print Deploy server, based on set scheduled tasks.

In order to force the call between the client and server to verify that the server certificate is trusted, you’ll need to update the pc-print-deploy-client.conf file across all your clients.

The Print Deploy client’s pc-print-deploy-client.conf file is located in the following directory:

  • For Windows: C:\Program Files\PapeCut Print Deploy Client
  • For Mac: /Applications/PaperCut Print Deploy Client

The updated pc-print-deploy-client.conf file is below. This can be pushed out via an MDM tool.

{
    "ServiceDescription": {
        "DisplayName": "PaperCut Print Deploy Client",
        "Description": "Automatically deploys printers through a server configuration"
    },
    "ServiceConfig": {
        "LogFile": "data/logs/${ServiceName}.log",
        "LogFileMaxSizeMb": 200
    },
    "Include" : ["v*/include.conf"],
    "Services": [
        {
            "Path": "v*/pc-print-deploy-client.exe",
            "Args": ["-dataDir=${ServiceRoot}\\data", "-pclog.dev"],
            "GracefulShutdownTimeoutSecs": 10,
            "RestartDelaySecs": 5,
            "MaxCrashCountPerHour": 10
        }
    ],
    "ScheduledTasks": [
        {
            "Schedule": "0 0 9 * * *",
            "Path": "./updater.exe",
            "Args": ["PRINT_DEPLOY_SERVER_URL/check-update/windows"],
            "StartupRandomDelaySecs": 28800,
            "TimeoutSecs": 3600
        }
    ],
    "StartupTasks": [
        {
            "Path": "./updater.exe",
            "Args": ["PRINT_DEPLOY_SERVER_URL/check-update/windows"],
            "TimeoutSecs": 3600,
            "StartupDelaySecs": 600,
            "StartupRandomDelaySecs": 3600,
            "Async": true
        }
    ]
}

Comments