Discussion:
How to generate a certificate for an HP printer?
(too old to reply)
Charles Curley
2024-09-21 21:30:01 UTC
Permalink
I have an HP LaserJet MFP M234sdw printer. I am getting error messages
from CUPS that say something like "cups-pki expired". The certificate
on the printer expired recently.

How do I generate a signed certificate to use in the printer?

There is no mechanism to do so in the printer's firmware.
--
Does anybody read signatures any more?

https://charlescurley.com
https://charlescurley.com/blog/
Jeffrey Walton
2024-09-21 21:40:02 UTC
Permalink
On Sat, Sep 21, 2024 at 5:26 PM Charles Curley
Post by Charles Curley
I have an HP LaserJet MFP M234sdw printer. I am getting error messages
from CUPS that say something like "cups-pki expired". The certificate
on the printer expired recently.
How do I generate a signed certificate to use in the printer?
There is no mechanism to do so in the printer's firmware.
You install certificates from the printer's web administration page.
<https://support.hp.com/my-en/document/ish_4629366-5428336-16>.

If you want to run your own PKI, then checkout Dogtag,
<https://www.dogtagpki.org/>.

Jeff
Charles Curley
2024-09-22 03:00:02 UTC
Permalink
On Sat, 21 Sep 2024 17:34:51 -0400
Post by Jeffrey Walton
Post by Charles Curley
How do I generate a signed certificate to use in the printer?
There is no mechanism to do so in the printer's firmware.
You install certificates from the printer's web administration page.
<https://support.hp.com/my-en/document/ish_4629366-5428336-16>.
Nope. There is no certificate generator on the printer, and that page
doesn't describe the web navigation correctly.
Post by Jeffrey Walton
If you want to run your own PKI, then checkout Dogtag,
<https://www.dogtagpki.org/>.
I'll look into this, thanks. I am, however, a certificate illiterate.
--
Does anybody read signatures any more?

https://charlescurley.com
https://charlescurley.com/blog/
Alexander V. Makartsev
2024-09-22 08:10:01 UTC
Permalink
Post by Charles Curley
I have an HP LaserJet MFP M234sdw printer. I am getting error messages
from CUPS that say something like "cups-pki expired". The certificate
on the printer expired recently.
How do I generate a signed certificate to use in the printer?
There is no mechanism to do so in the printer's firmware.
You can use "easy-rsa" package to create private Certificate Authority
(CA) and generate signed certificates.
It is a collection of openssl wrapper scripts and is quick and simple to
use.
--
With kindest regards, Alexander.

Debian - The universal operating system
https://www.debian.org
john doe
2024-09-22 14:00:01 UTC
Permalink
Post by Charles Curley
I have an HP LaserJet MFP M234sdw printer. I am getting error messages
from CUPS that say something like "cups-pki expired". The certificate
on the printer expired recently.
Is it a selfsigned cert?
Post by Charles Curley
How do I generate a signed certificate to use in the printer?
There is no mechanism to do so in the printer's firmware.
Even if you upgrade the FW?

--
John Doe
Charles Curley
2024-09-22 15:10:01 UTC
Permalink
On Sun, 22 Sep 2024 15:54:09 +0200
Post by john doe
Post by Charles Curley
I have an HP LaserJet MFP M234sdw printer. I am getting error
messages from CUPS that say something like "cups-pki expired". The
certificate on the printer expired recently.
Is it a selfsigned cert?
I think so. The embedded web server says,

By default, a pre-installed self-signed printer certificate is
created to identify this printer. You can change this certificate to
more accurately identify the printer and to update the length of
time the certificate is valid.
Post by john doe
Post by Charles Curley
How do I generate a signed certificate to use in the printer?
There is no mechanism to do so in the printer's firmware.
Even if you upgrade the FW?
I tried upgrading the firmware. I have the latest available, 20201215.
--
Does anybody read signatures any more?

https://charlescurley.com
https://charlescurley.com/blog/
john doe
2024-09-22 16:10:01 UTC
Permalink
Post by Charles Curley
On Sun, 22 Sep 2024 15:54:09 +0200
Post by john doe
Post by Charles Curley
I have an HP LaserJet MFP M234sdw printer. I am getting error
messages from CUPS that say something like "cups-pki expired". The
certificate on the printer expired recently.
Is it a selfsigned cert?
I think so. The embedded web server says,
By default, a pre-installed self-signed printer certificate is
created to identify this printer. You can change this certificate to
more accurately identify the printer and to update the length of
time the certificate is valid.
Post by john doe
Post by Charles Curley
How do I generate a signed certificate to use in the printer?
There is no mechanism to do so in the printer's firmware.
Even if you upgrade the FW?
I tried upgrading the firmware. I have the latest available, 20201215.
I also have a HP.
After entering credentials it allows me to access the advance
capabilities of my printer.
It allows me among other things to renew the selfsigned cert!

To me, this is build-in! ;^)

--
John Doe
Charles Curley
2024-09-22 17:10:01 UTC
Permalink
On Sun, 22 Sep 2024 18:02:30 +0200
Post by john doe
I also have a HP.
After entering credentials it allows me to access the advance
capabilities of my printer.
What credentials? I have a user name and password (which I changed from
the defaults), and have used those to log in. Is there some other set
of credentials I have missed?
Post by john doe
It allows me among other things to renew the selfsigned cert!
To me, this is build-in! ;^)
--
Does anybody read signatures any more?

https://charlescurley.com
https://charlescurley.com/blog/
Charles Curley
2024-09-22 19:10:01 UTC
Permalink
On Sun, 22 Sep 2024 18:02:30 +0200
Post by john doe
Post by Charles Curley
Post by john doe
Even if you upgrade the FW?
I tried upgrading the firmware. I have the latest available,
20201215.
I also have a HP.
After entering credentials it allows me to access the advance
capabilities of my printer.
It allows me among other things to renew the selfsigned cert!
To me, this is build-in! ;^)
I did finally find it.

Networking -> Certificates -> Configure

That gives me several options. I then selected "Create a New
Self-Signed Certificate". That updated the certificate. I now cannot
print on that printer, even after cycling power. If I print over the USB
interface, I hear it spin its wheels, but nothing is printed. I tried
deleting and re-installing it. No go.

Or I could select "Create a Certificate Request" and hit Next. I filled
in the details, hit Next. No complaints from the printer. I then used
copy and paste to save off the cert request. This is a good thing,
because when I hit "Save" I got several requests for Username and
Password in a row. I gave up after the 5th such request.

I'm rather frustrated and annoyed.
--
Does anybody read signatures any more?

https://charlescurley.com
https://charlescurley.com/blog/
john doe
2024-09-22 19:40:02 UTC
Permalink
Post by Charles Curley
On Sun, 22 Sep 2024 18:02:30 +0200
Post by john doe
Post by Charles Curley
Post by john doe
Even if you upgrade the FW?
I tried upgrading the firmware. I have the latest available,
20201215.
I also have a HP.
After entering credentials it allows me to access the advance
capabilities of my printer.
It allows me among other things to renew the selfsigned cert!
To me, this is build-in! ;^)
I did finally find it.
Networking -> Certificates -> Configure
That gives me several options. I then selected "Create a New
Self-Signed Certificate". That updated the certificate. I now cannot
print on that printer, even after cycling power.
Do you realy need SSL/TLS for a printer, if your network is secured.
Post by Charles Curley
If I print over the USB
interface, I hear it spin its wheels, but nothing is printed. I tried
deleting and re-installing it. No go.
Or I could select "Create a Certificate Request" and hit Next. I filled
in the details, hit Next. No complaints from the printer. I then used
copy and paste to save off the cert request. This is a good thing,
because when I hit "Save" I got several requests for Username and
Password in a row. I gave up after the 5th such request.
I'm rather frustrated and annoyed.
A wild guess, would be that the default cert was signed by a trusted CA,
which could explain why it was working out of the box! ;^)

You could use Letsencrypt to sign your CSR, assuming that you can upload
your signed cert to the printer.

I can access my printer via telnet, which is, sometime less frustrating! ;^)

Good luck I guess!

--
John Doe
Jeffrey Walton
2024-09-22 22:00:01 UTC
Permalink
On Sun, Sep 22, 2024 at 3:02 PM Charles Curley
Post by Charles Curley
On Sun, 22 Sep 2024 18:02:30 +0200
Post by john doe
Post by Charles Curley
Post by john doe
Even if you upgrade the FW?
I tried upgrading the firmware. I have the latest available, 20201215.
I also have a HP.
After entering credentials it allows me to access the advance
capabilities of my printer.
It allows me among other things to renew the selfsigned cert!
To me, this is build-in! ;^)
I did finally find it.
Networking -> Certificates -> Configure
Interesting. Previously you said, "Nope. There is no certificate
generator on the printer [web admin page],.."
Post by Charles Curley
That gives me several options. I then selected "Create a New
Self-Signed Certificate". That updated the certificate. I now cannot
print on that printer, even after cycling power. If I print over the USB
interface, I hear it spin its wheels, but nothing is printed. I tried
deleting and re-installing it. No go.
Use IPP printing. The connection on your workstation will be something
like <ipp://colorlaserjet.home.arpa>.
Post by Charles Curley
Or I could select "Create a Certificate Request" and hit Next. I filled
in the details, hit Next. No complaints from the printer. I then used
copy and paste to save off the cert request. This is a good thing,
because when I hit "Save" I got several requests for Username and
Password in a row. I gave up after the 5th such request.
Jeff
Charles Curley
2024-09-23 02:00:01 UTC
Permalink
On Sun, 22 Sep 2024 17:56:56 -0400
Post by Jeffrey Walton
Post by Charles Curley
Networking -> Certificates -> Configure
Interesting. Previously you said, "Nope. There is no certificate
generator on the printer [web admin page],.."
Yes, I did. I don't know why I didn't try the Configure button.

One reason I described the path to the correct place above is that the
various pages I found in HP's mess of documentation all provided
different paths, none of which were this one.
Post by Jeffrey Walton
Use IPP printing. The connection on your workstation will be something
like <ipp://colorlaserjet.home.arpa>.
That is indeed the approach I am now taking.
--
Does anybody read signatures any more?

https://charlescurley.com
https://charlescurley.com/blog/
Charles Curley
2024-09-23 02:10:01 UTC
Permalink
On Sun, 22 Sep 2024 13:02:26 -0600
Post by Charles Curley
If I print over the USB
interface, I hear it spin its wheels, but nothing is printed. I tried
deleting and re-installing it. No go.
I finally solved that one. I changed the driver for the printer. It
used to work correctly.

In other news, I finally got printing from another machine running.
I use IPP to the desktop (which has the printer on a USB cable). This
involved opening both IPP and IPP-client in the firewalls of both the
server and the client. The two printers that magically appear thanks to
Avahi/Bonjour are still useless.

None of these solutions involve using the cert. That does affect the
embedded web server. Since it is self-signed, I still have to jump
through a hoop to get to it. Sigh.
--
Does anybody read signatures any more?

https://charlescurley.com
https://charlescurley.com/blog/
Jeffrey Walton
2024-09-23 03:30:01 UTC
Permalink
On Sun, Sep 22, 2024 at 10:03 PM Charles Curley
Post by Charles Curley
On Sun, 22 Sep 2024 13:02:26 -0600
Post by Charles Curley
If I print over the USB
interface, I hear it spin its wheels, but nothing is printed. I tried
deleting and re-installing it. No go.
I finally solved that one. I changed the driver for the printer. It
used to work correctly.
In other news, I finally got printing from another machine running.
I use IPP to the desktop (which has the printer on a USB cable). This
involved opening both IPP and IPP-client in the firewalls of both the
server and the client. The two printers that magically appear thanks to
Avahi/Bonjour are still useless.
I disable most print services, like Bonjour and 9100 printing. I run
my own DNS locally, and it is the source of truth for my network. In
fact, I remove the packages that provide services like Bonjour and
mDNS (when I can). Here's what my Network Config page looks like:
<https://ibb.co/1qg2HX7>.
Post by Charles Curley
None of these solutions involve using the cert. That does affect the
embedded web server. Since it is self-signed, I still have to jump
through a hoop to get to it. Sigh.
You can install a self-signed certificate in your browser's
certificate store, and you will not have to deal with the prompts.

Jeff

Max Nikulin
2024-09-23 02:20:01 UTC
Permalink
Post by Charles Curley
Networking -> Certificates -> Configure
That gives me several options. I then selected "Create a New
Self-Signed Certificate". That updated the certificate. I now cannot
print on that printer,
It is expected. Why your system should trust some new (and thus unknown)
certificate having unclear origin?
Post by Charles Curley
Or I could select "Create a Certificate Request" and hit Next.
This option is for admins running local Certificate Authority.
Certificate request must be signed by some Certificate Authority and you
need to have the root certificate of that Certificate Authority
installed on your machine.
Post by Charles Curley
I'm rather frustrated and annoyed.
Seek for CUPS docs how to install a self-signed certificate that you may
obtain from your printer.

For system-wide certificate management see
/usr/share/doc/ca-certificates/README.Debian

Perhaps you might disable TLS in your printer configuration, but I have
no idea what degree of security you wish to have.
Loading...