Knowledgebase: PaperCut > Security and Privacy
Use an existing trusted SSL certificate for Mobility Print
Last modified on 12 August 2020 11:17 PM

Help! We get a certificate error when browsing to the web interface of our Mobility Print server! What should we do?”

About Mobility Print and Certificates

By default, the Mobility Print server will use a self-signed certificate. While the self-signed cert secures communication, using one means that users browsing to the Mobility Print Help Center on your server using HTTPS will see an untrusted certificate error.

(It’s important to point out that, generally, this isn’t a problem. Users aren’t exchanging their credentials with the Mobility Print server through the web interface, and admins can simply click through the certificate error to get to the login page of the server and the traffic will still be encrypted.)

If this worries you, however, there are two different solutions.

  • Consider sharing the link with your users instead to our Mobility Print Help Center which shows users how they can use Mobility Print on their devices. Our public page uses a trusted certificate that’s securely reachable over port 443.
  • It is also possible to install a custom certificate on your Mobility Print server, which allows admins and users to access the web interface of the server with HTTPS without facing a certificate error. Below we describe two different ways to create the certificate files and install them on the Mobility Print server using either KeyStore Explorer or OpenSSL.

Generate the certificate using KeyStore Explorer

You may already be familiar with KeyStore Explorer if you followed our guide Installing an SSL Certificate the Easy Way. You might be able to reuse that certificate if…

  • Mobility Print is installed on the same server where PaperCut is running.
  • You have a wildcard certificate, which should be valid for any server with the same domain name.

To do so, follow these steps:

  1. Open the KeyStore used by PaperCut using KeyStore Explorer.
  2. Right-click on the entry for the certificate, and choose Export then Export Certificate Chain.
  3. Set the Export Length option to Entire chain, change the file name to tls.cer, then click Export.
  4. Right-click on the entry for the certificate, and choose Export then Export Key Pair
  5. Set the Format option to PEM. Change the file name to tls.pem. Then click Export.
  6. Copy the new tls.pem and tls.cer files to the data folder where PaperCut Mobility Print is installed. On a Windows server this might be C:\Program Files (X86)\PaperCut Mobility Print\data. Overwrite the existing files or copy them to another folder for safe keeping.
  7. Restart the Mobility Print server or restart the service.
  8. Navigate to the web interface of the Mobility Print server using https://yourmobilityservername:9164 to test out the new certificate.

Generate the certificate using OpenSSL

The certificate and private key used by the Mobility Print server for HTTPS connection are in PEM-encoded format. To use an existing trusted SSL key:

1. Export the existing certificate and key to PEM-encoded format.
2. Configure the Mobility Print server certificate.

Step 1: Separate the components of the certificate key bundle using PEM encoding for the key. The process depends on the type of bundle you have. Also, hopefully, you documented the bundle’s import password once upon a time because you’re going to need it soon.

  • Windows certificate store:
    1. Export the certificate and key as a PFX bundle by following Step 1: Export the existing certificate with key. Skip this step if you already have a .pfx file.
    2. Export the PEM-encoded key and certificate as described below.
  • A PKCS#12 file (*.p12/*.pfx):
    1. Run the command below to export the key from the certificate key bundle:
    openssl pkcs12 -in certname.pfx -nocerts -out tlspw.pem
    2. Next, remove the PEM pass phrase from the last step:
    openssl rsa -in tlspw.pem -out tls.pem
    3. Finally, export the certificate from the certificate key bundle:
    openssl pkcs12 -in certname.pfx -nokeys -out tls.cer

Step 2: Configure the Mobility Print server certificate

1. On the Mobility Print server, stop the PaperCut Mobility Print service.
2. Navigate to: C:\<Mobility Print install path>\data\. You’ll see the following:
  • tls.cer (certificate file)
  • tls.pem (private key file)
3. Make a backup of the current tls.cer and tls.pem by renaming them both to .old so you have a copy of the original files
4. Copy your extracted certificate and private key files to this folder.
5. Rename your certificate file to tls.cer and the private key file to tls.pem.
6. Start the PaperCut Mobility Print service .
7. Access the Mobility Print Admin interface using the Common Name (or Host Name) that you’ve specified in the certificate.