As of firmware G00-Q1, a default installation of PaperCut MF shows an error message on the Konica Minolta device panel states the following:
Caution Certificate has been signed with SHA1. Are you sure you want to continue? This may be seen on the Konica Minolta device when the PaperCut server uses a SHA1 certificate. By default, PaperCut ships with a SHA1 signed certificate, as several devices only support SHA1 communication, so a default PaperCut installation may produce this error. However, seeing this message on the device is undesirable, as it may confuse users. There are a few solutions to this problem that we’ll cover below:
Info If you are not seeing the pictured error message at your Konica Minolta device panel, you can skip to suppressing the warning in the PaperCut admin console, see the steps below at the bottom of the page Upgrading to a SHA256 certificate: The easiest and recommended solution is to upgrade the PaperCut server certificate to be encrypted with SHA256. This is a more secure level of encryption and will prevent this error message from appearing on the device.
Info The following commands only apply if you’re using the default PaperCut self-signed certificate. If your PaperCut Application server is configured with a non-default certificate, please reach out to your vendor or systems administrator who supplied the certificate to make sure its encryption strength is SHA256 or higher Upgrade the PaperCut Application’s default certificate: As an administrator, open a new terminal Navigate to the create-ssl-keystore tool: cd [app-path]PaperCut [MF\NG]\server\bin\win Backup the old keystore [app-data]PaperCut [MF\NG]\server\data\default-ssl-keystore For a standard PaperCut install that has not been modified, execute the command: create-ssl-keystore -f -sig sha256 -bcCA You should expect to see the result:
Info Keystore file successfully created for: at [app-data]\server\data\default-ssl-keystore. Restart the Application Server to apply the new SSL certificate Info For advanced admins or systems with non-standard environment configurations:
Run the create-ssl-keystore tool specifying the values you wish to customize. See the table below for a list of the available arguments. create-ssl-keystoreArgumentDescription-bcCaAdd the X.509 Basic Constraints CA extension-f(force) Overwrite any existing keystore file.-kDefine a keystore file location. By default, the location is [app-data]/PaperCut [MF/NG]/server/data/default-ssl-keystore-keystorepassSpecifies the keystore password. By default, the Keystore password is default-keystorekeypassSpecifies the Private Key password within the keystore. By default, the Private Key password is default-sig [ SHA256|SHA1 ]Specifies the algorithm that should be used for certificate signing. By default, SHA1 is used.SYSTEM_NAMEThe name of the computer/server used to generate keystore. By default, the current computer name is used.Example:create-ssl-keystore -f -k <location> -sig sha256 -keystorepass <KEYSTOREpassword> -keystorekeypass <KEYpassword> -bcCA <SYSTEM-NAME> (OPTIONAL) If you specified the -k, -keystorepass, or -keystorekeypass arguments: Open the [app-path]\server\server.properties file with a text editor Locate the section titled SSL Key\Certificate. Remove the comment marker (#) from the line starting with server.ssl.keystore= Define the following properties: server.propertiesPropertyDescriptionserver.ssl.keystoreThe location of your keystore. This must match the value specified by -k in create-ssl-keystore. If you did not specify this value in create-ssl-keystore, leave the default value in your server.properties file.server.ssl.keystore-passwordThe keystore password. This must match the value specified by -keystorepass in create-ssl-keystore; if you did not specify this value in create-ssl-keystore, leave it as default in the server.properties file.server.ssl.key-passwordThe keystore private key password. This must match the value specified by -keystorekeypass in create-ssl-keystore; if you did not specify this value in create-ssl-keystore, leave it as default in the server.properties file. Info On macOS, the server.ssl.keystore property requires the absolute path for to your keystore. default-location: /PaperCut [NG/MF]/server/custom/my-ssl-keystore Restart the PaperCut Application Server For more information, check out our manual! Suppressing the warning in the PaperCut Admin console Caution This solution will not work, for devices that do not support SHA256 encrypted certificates, as they will not be able to communicate with the PaperCut server. Check with your PaperCut reseller or Authorized Solution Center to identify if SHA256 is supported on your Konica Minolta If the device doesn’t support SHA256 or if you have a mixed fleet of devices that support SHA256 Create a site-server which serves a SHA1 certificate. Upgrade the main PaperCut Application server’s certificate to SHA256 Migrate all SHA1-only devices to the site-server. Reach out to your PaperCut reseller for assistance in setting the Site Server environment. You can suppress the admin dashboard warning by performing:
Go to the PaperCut Application’s Admin dashboard https://papercutserver:9192/admin Devices Device Advanced Config ext-device.konica-minolta.browser.show-sha1-message VALUE = “ ‘N’ ”. Suppress the warning on a Konica Minolta MFD Web Interface
Access the Konica Minolta’s Web Interface Settings Security Settings SSL communication of SHA1 certificate Select Allow Panel
Tap [Menu] - [Settings] Login as Administrator Security Settings SSL communication of SHA1 certificate Select Allow
Comments
0 comments
Please sign in to leave a comment.