Secure Sockets Layer (SSL) is a standard security protocol for establishing an encrypted link between a server and a client. It allows sensitive data to be transmitted securely. Browsers and secured web servers have the capability of interacting with each other but require a SSL Certificate to establish a secure connection. SSL- secured websites begin with https.
Understanding SSL Certificates
A certificate is required for all SSL- related transactions to ensure secure data transmissions and prevent eavesdropping. There are 2 types of SSL certificates.
Self-Signed CA Certificate
A Self-Signed CA certificate is authenticated by a trusted Certificate Authority authorized to issue them. Certificate Authorities are trusted resources that meet all the requirements that have been set for issuing certificates. They have the appropriate safeguards in place to prevent misuse and other types of fraudulent behavior. It is recommended that a Self-Signed CA certificate is used for secure communication between the Upland AccuRoute server and Lexmark devices.
Self-Signed Certificate
A Self-Signed certificate is issued by the individual using it with their own software. It may be used on intranets or testing environments; however, if used on the Internet, they generate browser warnings that could dissuade potential customers from using a website. Although, this type of certificate provides encryption, it does not provide authentication and it is not recommended for secure communication between the server and Lexmark devices.
Note: Installation of the Self-Signed certificate is not allowed on the device’s trust store making it impossible for the client to ever trust the server’s certificate.
Before you begin
The following installations and setup are required for a successful device SSL configuration.
Administrators must complete the following tasks.
-
Add a Lexmark Device Group and configure the device buttons in the Server Administrator.
-
Configure the Upland AccuRoute ESF Application JAR file at the device after the SSL configuration is complete.
There are several CA resources that you can use to obtain Self-Signed CA certificates. It is recommended that you research and select a CA resource that works for you and your company.
In addition, you must determine whether you are going to use a CA resource to create your own Self-Signed CA certificate and Private key or have the CA resource create and provide you with the Self-Signed CA certificate and Private key.
Note: The following instructions refer to the use of OpenSSL for illustrative purposes only. You are not required to use OpenSSL. If you obtained your Self-Signed CA certificate and Private key from a CA resource, then you can proceed to Creating a Server certificate request.
What you need to do to configure SSL
Complete the steps in the order specified.
- Create or obtain a Self-Signed CA certificate and Private key
- Create a Server certificate
- Complete the Server certificate request
- Install and import the Self-Signed CA certificate
- Verifying certificates in the MMC snap-in
- Bind the Server certificate
- Require SSL for the Device Client and Web API
- Enable Directory Browsing for the Device Client and Web API
- Edit the OmlSAPIU.xml file
- Create a PFX certificate file
- Adding the SSL URL to the Device Group Properties
Creating a Self-Signed CA certificate and generating a Private key
Using a CA resource, you must create a Self-Signed CA certificate and generate a Private key. A password-protected 2048-bit RSA private key (domain.key) is required for the Lexmark integration.
Note: Refer to the documentation provided by your CA resource. The next series of steps use OpenSSL as an example and may not apply to your specific SSL configuration.
To create a Self-Signed CA certificate and generate a Private key
- Download, open, and run the OpenSSL.exe file as an Administrator.
- Use the following command to generate the password-protected 2048-bit RSA private key.
OpenSSL > genrsa -des3 -out omtool.key 2048
-
Specify a password and verify. The password-protected omtool.key appears in the /OpenSSL-Win64/bin directory.
Note: Make a note of all passwords created during the Lexmark device SSL configuration. There are instances where the passwords may be required in other configuration steps.
- Type or copy/paste the following command at the OpenSSL prompt to create a Self-Signed CA certificate, generate a Private key, and press Enter.
OpenSSL> req -x509-nodes -days 365 -newkey rsa:2048 -keyout omtool.key -out certificate.crt-reqexts v3_req -extensions v3_ca
Note: X.509 version 1 certificates are not allowed by some mobile platforms. Use the X.509 version 3 certificates instead. When creating Self-signed CA certificates, ensure that they are X.509 version 3 and have the following extension defined: basicConstraints= CA:TRUE.
- Verify the certificate version and extensions, if necessary, by typing the following command and press Enter.
openssl x509 -in certificate.crt-text -noout
Note: Refer to the documentation provided by your CA resource on how to specify the required version and certificate extensions.
See the OpenSSL.exe file example below.
-
Type the following information that will be included in your certificate request and press Enter.
- Country Name, for example, US
- State or Province Name, for example, TX
- Locality Name; for example, Austin (City)
- Organization/Company Name, for example, Upland Software
- Organizational Unit Name, for example, AccuRoute Server Administration (Department)
- Common Name; for example, server FQDN (Fully Qualified Domain Name = hostname.domainname.com)
- Email Address; for example, username@company.com
Note: Some of these fields can be left blank. A Self-Signed CA certificate (certificate.crt) is created and a Private key (omtool.key and password) is generated when you are done. The certificate is located in the /OpenSSL-Win64/bin directory with a certificate filename.
See also
Lexmark SSL Configuration Server Certificate Request
Lexmark SSL Configuration Device Client and Web API
Lexmark SSL Configuration XML Files
Lexmark SSL Configuration Server and Device