Creating a web server certificate for the Personal Printing server

Assigning the web server certificate to the Personal Printing server

Creating a web server certificate for the Release Station

Assigning the web server certificate to the Release Station

Installing the root certificate and setting up the server URL on the client side

---

For Personal Printing it is possible to encrypt the following connections via https:

• from a web browser to the Release Station’s web interface.
• from the Release Station or another authentication device (like printer or smart­phone) to the Personal Printing server. This encryption can be used for:
  • opening the JobViewer
  • the authentication at the printer
    (Data such as user ID and password are sent from the authentication devices to the Personal Printing Server.)

Creating a web server certificate for the Personal Printing server

If you do not want to purchase a server certificate for the Personal Printing server from a public certification authority (CA), then you can also create this in your Active Directory with your own CA. In this case, however, you must distribute the root cer­tificate and, if applicable, the intermediate certification authority certificate to all computers that are to access the Personal Printing server via https.

• To do this, enable the role Active Directory Certificate Services with the setup type Enterprise on the Active Directory server or on a member server.
• Then switch to the Personal Printing server and open the certificate manage­ment in the MMC.
• Highlight the certificate store Certificates (Local Computer)→ Personal and select All Tasks→ Request New Certificate.

Personal Printing server: requesting a web server certificate for the local machine

• In the Active Directory Enrollment Policy menu, open the properties of the Web Server certificate to be created.

Personal Printing server: changing the settings of the web server certificate

• With older CA, the web server certificate type may not be displayed by default. In this case, you must first enable it on the certification authority server by opening the template management in the Certification Authority manager ...

older CA: managing certificate templates

•  ... and opening the properties of the Web server template and, on the Security tab, granting the right Enroll> to the Authenticated Users group.

older CA: granting the right Enroll to the Authenticated Users group

• Back to the Personal Printing server: In the settings of the Web Server certifi­cate to be created, enter the Common Name and the DNS name in the Subject tab. Both must match the name of the certificate and the server address (this is a requirement of Chrome browsers). In general, this is the FQDN of the web server or Personal Printing server (but also hostname or IP address are possi­ble).

Personal Printing server: specifying Common Name and DNS name

• On the Private Key tab, you can mark the private key of the certificate as export­able (if you do not request the certificate from the target server or if you want to reinstall it later).

Personal Printing server: marking the private key as exportable optionally

• If you have several CAs in your Active Directory, select the AC on the Certifica­tion Authority tab. You must distribute its root certificate to the authentication devices (see below).

Personal Printing server: selecting a specific CA

• Finally, select the Web Server certificate type and click Enroll to install the web server certificate on the local machine. This is automatically stored in the certificate store Certificates (Local Computer)→ Personal).

Personal Printing server: installing the web server certificate on the local machine

Assigning the web server certificate to the Personal Printing server

In the certificate store Certificates (Local Computer)→ Personal you need a server certificate issued to the address of the Personal Printing server (see above).

Note! The server certificate must have the same name as the Personal Print­ing server (FQDN, hostname, or IP address).

When opening the JobViewer, the address in the browser must then be specified as shown in the column Issued By (see screenshot). For example, if there is an IP address, the Job­Viewer is opened with:

https://192.168.149.75/JobViewer (example)

On the Release Station and on Lexmark printers, the URL is specified in this case with:

https://192.168.149.75 (example)

On Samsung and Konica Minolta printers, only the IP address will be specified in this case.

server certificate on the Personal Printing server

• Then open the IIS Manager or Internet Information Services Manager (IIS).
  Select Sites→ Default Web Site→ Bindings.

IIS Manager: selecting Bindings

• If (e. g. after an update) no binding of type https exists yet, add a new site binding by clicking on Add.
• If you had selected the option Create Self-Signed Certificate during the installation of Personal Printing, then replace the automatically generated (self-signed) web server certificate with your web server certificate here.

In the next window, select from the following:

site binding: adding https protocol and selecting the certificate (you will find the new site binding in the overview)

• For security, check that only authentication with encryption is allowed. To do this, select Sites→ Default Web Site→ SSL Settings.

IIS Manager: encryption settings

• The Require SSL checkbox must be checked here if authentication is to take place exclusively via https. (If Require SSL is not enabled, authentication can take place via both http and https.)

connection protocol restricted to https

• Finally, restart the IIS service.

restarting the IIS service of the Personal Printing server

Creating a web server certificate for the Release Station

If you do not want to purchase a server certificate for the Release Station from a pub­lic certification authority (CA), then you can also create this in your Active Directory with your own CA. In this case, however, you must distribute the root certificate and, if applicable, the intermediate certification authority certificate to all computers that are to access the Release Station via https.

• To do this, enable the role Active Directory Certificate Services with the setup type Enterprise on the Active Directory server or on a member server.
• Then open the certificate management in the MMC of a member server (e. g. the Personal Printing server).
• Highlight the certificate store Certificates (Local Computer)→ Personal and select All Tasks→ Advanced Operations→ Create Custom Request.

member server: starting the request for the Release Station’s web server certificate

• In the Custom request menu, select the Web Server template.

member server: selecting the template for a web server certificate

• With older CA, the web server certificate type may not be displayed by default. In this case, you must first enable it on the certification authority server by opening the template management in the Certification Authority manager ...

older CA: managing certificate templates

•  ... opening the properties of the Web server template and, on the Security tab, granting the right Enroll to the Authenticated Users group.

older CA: granting the right Enroll to the Authenticated Users group

• Back to Member Server: In the Certificate Information menu, select Details and then Properties.

member server: opening the settings of the web server certificate

• In the settings of the Web Server certificate to be created, enter the Common Name and the DNS name in the Subject tab. Both must match the name of the certificate and the computer address (this is a requirement of Chrome brows­ers). In general, this is the FQDN of the web server or Release Station (but also hostname or IP address are possible).

member server: specifying Common Name and DNS name

• On the Private Key tab, mark the private key of the certificate as exportable (to be able to install the certificate on the Release Station later). Confirm with OK, and proceed with Next in the Certification Information menu.

member server: marking the private key as exportable

• Save the certificate request as a text file (type .txt or .req).

member server: saving the certificate request as a text file

• Go to your CA and open the Certification Authority manager.
• There, highlight your CA and select All Tasks→ Submit new request.

CA: managing the certificate request

• Select the certificate request you just saved.

CA: opening the certificate request

• Save the certificate in .cer format.

CA: saving the certificate

• Switch back to the member server where you created the certificate request. Install the newly created certificate in Certificates (Local Computer)→ Per­sonal.
• Export the certificate with its key (file format .pfx).

member server: exporting the Release Station’s web server certificate

• Assign a password when exporting.

member server: securing the certificate’s key with a password

• Switch to the web interface of the Release Station. To import the certificate, select Upload Certificate in the Certificates menu.

Release Station: importing the web server certificate

• Enter the password specified above.

Release Station: entering the key’s password

• Assign the certificate to the Release Station’s web interface.

Release Station: certificate assigned to the web interface

• To restart the Release Station, select System→ Reboot.
• After installing the root certificate on a workstation (see below), you can open the web interface of the Release Station via https. Select the same address that you used to create the certificate (here: https://releasestation-03).

workstation: opening the web interface of the Release Station via https (here: using a Chrome browser)

Assigning the web server certificate to the Release Station

See the section Importing certificates.

Installing the root certificate and setting up the server URL on the client side

• If applicable, install Personal Printing server’s root certificate on users’ authen­tication devices and/or the one of the Release Station on workstations (if it is not preinstalled by default) in the Trusted Root Certification Authorities and/or Third-Party Root Certification Authorities certificate store and, if applicable, the intermediate certificate in Intermediate Certification Authori­ties.
  For the Release Station see the section Importing certificates.
• Configure the URL of the Personal Printing server as https address on the authentication devices.
  See the respective section:
  • Preparing the Release Station
  • Configuring smartphone users
  • Personal Printing Clients in printers