Server and Client certificates
To encrypt the traffic between the InfoPrint Manager server and an InfoPrint Manager client, you need a digital certificate. Each digital certificate has two parts: a key (the private part) and the certificate (the public part). The key should always be kept private, otherwise the communication is not secure anymore.
- Personally generate the certificate
- Buy a certificate from a globally known third-party Certificate Authority (CA).
In the first case, you need to generate a CA authority certificate. The CA key file will sign the certificates you generate (for servers and clients). The CA certificate will authenticate the certificates you generate. The CA certificate (public part) must be available for InfoPrint Manager servers and clients in order to validate the certificates it receives.
In the second case, the certificates are verified using the Mozilla CA Certificate Store, a collection of CAs maintained by Mozilla organization. The raw file can be found at https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt.
certdata.txtfile is distributed with InfoPrint Manager in a form that is suitable to be used with OpenSSL.
The certificate included in
certdata.txt usually expires in 398 days. To update the collection of CAs maintained by Mozilla
organization, follow these steps:
- On a computer with
curlinstalled and internet access, copy
mk-ca-bundle.plfrom a computer running InfoPrint Manager or from an InfoPrint Manager client computer. The
mk-ca-bundle.plscript is located in the
- You can also download the
mk-ca-bundle.plscript from https://raw.githubusercontent.com/curl/curl/master/lib/mk-ca-bundle.pl.
curlcan be downloaded from https://curl.se/download.html.
- Make sure that
curlare used in PATH.
- You can also download the
- Open a console and change the directory to the location of the
- Execute the following command:
perl mk-ca-bundle.pl -s SHA256 -t -p SERVER_AUTH,CLIENT_AUTH,CRL_SIGN:TRUSTED_DELEGATOR
ca-cert.pemto all computers running InfoPrint Manager and also to all InfoPrint Manager client computers. On Windows the location is:
C:\Windows\ipm. On AIX, Linux, and MacOS the location is:
- Restart each computer where the
ca-cert.pemfile has been copied.
A server certificate must have X509v3 Extended Key Usage (EKU) set to Server Authentication (TLS Web Server Authentication). X509v3 Key Usage must be Digital Signature and Key Encipherment.
To use Mutual Authentication (the client validates the server certificate and the server also validates the client certificate), you need a client certificate.
A client certificate must have X509v3 Extended Key Usage (EKU) set to Client Authentication (TLS Web Client Authentication). X509v3 Key Usage must be Digital Signature.
If Mutual Authentication is required, the server certificate must have X509v3 Extended Key Usage (EKU) set to Server Authentication (TLS Web Server Authentication) and Client Authentication (TLS Web Client Authentication).
The Subject field in the digital certificate must be set to the full computer name from DNS (example: ipmsrv.example.com) or set to a wildcard for your DNS domain (example: *.example.com).
The X509v3 Subject Alternative Name (SAN) must contain any other names or aliases
for that computer (if available) and the IP addresses associated with the computer
name. The field in the certificate must look like this:
DNS:alt1.example.com, DNS:alt2.example.com, IP:10.0.0.1, IP:fc00::1, where host names are prefixed with "DNS:" and IP addresses with "IP:".
InfoPrint Manager warns you when your SSL/TLS certificate has less than 31 days left until it expires. The message is issued to error log and it looks like this: "5010-907 The SSL/TLS certificate for InfoPrint Manager expires on May 21 10:33:41 2029 GMT". To avoid interruptions you should consider renewing your certificate.
In order to identify if your InfoPrint Manager server is SSL/TLS enabled, check the error log file for the following message: "5010-908 InfoPrint Manager started with SSL/TLS enabled." after the InfoPrint Manager server start.
When encryption is disabled, InfoPrint Manager server accepts connections from previous versions of clients and servers (which do not understand TLS encryption). Once the encryption is enabled for an InfoPrint Manager server, such clients or servers are no longer able to communicate with the system. Only InfoPrint Manager servers that have encryption enabled or InfoPrint Manager clients that know to use TLS encryption will successfully communicate with the system.