Server and Client certificates

To encrypt the traffic between the InfoPrint Manager server and an InfoPrint Manager client, you need a digital certificate. Each digital certificate has two parts: a key (the private part) and the certificate (the public part). The key should always be kept private, otherwise the communication is not secure anymore.

Important: InfoPrint Manager only supports unencrypted certificate keys in PEM format.

You can:

  1. Personally generate the certificate
  2. Buy a certificate from a globally known third-party Certificate Authority (CA).

In the first case, you need to generate a CA authority certificate. The CA key file will sign the certificates you generate (for servers and clients). The CA certificate will authenticate the certificates you generate. The CA certificate (public part) must be available for InfoPrint Manager servers and clients in order to validate the certificates it receives.

In the second case, the certificates are verified using the Mozilla CA Certificate Store, a collection of CAs maintained by Mozilla organization. The raw file can be found at https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt.

Note: certdata.txt file is distributed with InfoPrint Manager in a form that is suitable to be used with OpenSSL.

The certificate included in certdata.txt usually expires in 398 days. To update the collection of CAs maintained by Mozilla organization, follow these steps:

  1. On a computer with perl and curl installed and internet access, copy mk-ca-bundle.pl from a computer running InfoPrint Manager or from an InfoPrint Manager client computer. The mk-ca-bundle.pl script is located in the <install path>\bin directory.
  2. Open a console and change the directory to the location of the mk-ca-bundle.pl script.
  3. Execute the following command: 
    perl mk-ca-bundle.pl -s SHA256 -t -p SERVER_AUTH,CLIENT_AUTH,CRL_SIGN:TRUSTED_DELEGATOR
  4. Rename certdata.txt to ca-cert.pem.
  5. Copy ca-cert.pem to all computers running InfoPrint Manager and also to all InfoPrint Manager client computers. On Windows the location is: C:\Windows\ipm . On AIX, Linux, and MacOS the location is: /etc/ipm.
  6. Restart each computer where the ca-cert.pem file has been copied.

A server certificate must have X509v3 Extended Key Usage (EKU) set to Server Authentication (TLS Web Server Authentication). X509v3 Key Usage must be Digital Signature and Key Encipherment.

To use Mutual Authentication (the client validates the server certificate and the server also validates the client certificate), you need a client certificate.

A client certificate must have X509v3 Extended Key Usage (EKU) set to Client Authentication (TLS Web Client Authentication). X509v3 Key Usage must be Digital Signature.

If Mutual Authentication is required, the server certificate must have X509v3 Extended Key Usage (EKU) set to Server Authentication (TLS Web Server Authentication) and Client Authentication (TLS Web Client Authentication).

Important: You should not use a globally known third-party CA when Mutual Authentication is enabled. For example, using a Verisign certificate as a "known CA" means that ANYONE who has a certificate signed by them is authenticated. This is most likely not what you want. Generate your own CA certificate, server certificate, client certificates, etc.

The Subject field in the digital certificate must be set to the full computer name from DNS (example: ipmsrv.example.com) or set to a wildcard for your DNS domain (example: *.example.com).

Note: Partial wildcards are not allowed.

The X509v3 Subject Alternative Name (SAN) must contain any other names or aliases for that computer (if available) and the IP addresses associated with the computer name. The field in the certificate must look like this: DNS:alt1.example.com, DNS:alt2.example.com, IP:10.0.0.1, IP:fc00::1, where host names are prefixed with "DNS:" and IP addresses with "IP:".

InfoPrint Manager warns you when your SSL/TLS certificate has less than 31 days left until it expires. The message is issued to error log and it looks like this: "5010-907 The SSL/TLS certificate for InfoPrint Manager expires on May 21 10:33:41 2029 GMT". To avoid interruptions you should consider renewing your certificate.

In order to identify if your InfoPrint Manager server is SSL/TLS enabled, check the error log file for the following message: "5010-908 InfoPrint Manager started with SSL/TLS enabled." after the InfoPrint Manager server start.

When encryption is disabled, InfoPrint Manager server accepts connections from previous versions of clients and servers (which do not understand TLS encryption). Once the encryption is enabled for an InfoPrint Manager server, such clients or servers are no longer able to communicate with the system. Only InfoPrint Manager servers that have encryption enabled or InfoPrint Manager clients that know to use TLS encryption will successfully communicate with the system.

Parent topic: Managing Transport Layer Security encryption for InfoPrint Manager for AIX