Server and Client certificates
To encrypt the traffic between the InfoPrint Manager server and an InfoPrint Manager client, you need a digital certificate. Each digital certificate has two parts: a key (the private part) and the certificate (the public part). The key should always be kept private, otherwise the communication is not secure anymore.
- Personally generate the certificate
- Buy a certificate from a globally known third-party Certificate Authority (CA).
In the first case, you need to generate a CA authority certificate. The CA key file will sign the certificates you generate (for servers and clients). The CA certificate will authenticate the certificates you generate. The CA certificate (public part) must be available for InfoPrint Manager servers and clients in order to validate the certificates it receives.
In the second case, the certificates are verified using the Mozilla CA Certificate Store, a collection of CAs maintained by Mozilla organization. The raw file can be found at https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt.
certdata.txtfile is distributed with InfoPrint Manager in a form that is suitable to be used with OpenSSL.
The certificate included in
certdata.txt usually expires in 398 days. To update the collection of CAs maintained by Mozilla
organization, follow these steps:
- On a computer with
curlinstalled and internet access, copy
mk-ca-bundle.plfrom a computer running InfoPrint Manager or from an InfoPrint Manager client computer. The
mk-ca-bundle.plscript is located in the
- You can also download the
mk-ca-bundle.plscript from https://raw.githubusercontent.com/curl/curl/master/scripts/mk-ca-bundle.pl.
curlcan be downloaded from https://curl.se/download.html.
- Make sure that
curlare used in PATH.
- You can also download the
- Open a console and change the directory to the location of the
- Execute the following command:
perl mk-ca-bundle.pl -s SHA256 -t -p SERVER_AUTH,CLIENT_AUTH,CRL_SIGN:TRUSTED_DELEGATOR
ca-cert.pemto all computers running InfoPrint Manager and also to all InfoPrint Manager client computers. On Windows the location is:
C:\Windows\ipm. On AIX, Linux, and MacOS the location is:
- Restart each computer where the
ca-cert.pemfile has been copied.
A server certificate must have X509v3 Extended Key Usage (EKU) set to Server Authentication (TLS Web Server Authentication). X509v3 Key Usage must be Digital Signature and Key Encipherment.
To use Mutual Authentication (the client validates the server certificate and the server also validates the client certificate), you need a client certificate.
A client certificate must have X509v3 Extended Key Usage (EKU) set to Client Authentication (TLS Web Client Authentication). X509v3 Key Usage must be Digital Signature.
If Mutual Authentication is required, the server certificate must have X509v3 Extended Key Usage (EKU) set to Server Authentication (TLS Web Server Authentication) and Client Authentication (TLS Web Client Authentication).
The Subject field in the digital certificate must be set to the full computer name from DNS (example: ipmsrv.example.com) or set to a wildcard for your DNS domain (example: *.example.com).