solution Contentsolution Content

HP LaserJet Enterprise, HP PageWide Enterprise - Install, view, and manage certificates for whitelisting remote apps on the printer

Learn how to use the Embedded Web Server (EWS) to install, view, and manage certificates.

Install, view, and manage certificates to ensure data security

Learn how to install and configure security certificates.

Introduction

Use the Certificate Management page to manage certificates for identification of the printer on a network and to encrypt data used by the printer.

The printer comes with a self-signed identity certificate and a self-signed Certificate Authority (CA) certificate. The printer also comes with three Root CA Certificates from popular Certificate Authorities. These Root CA Certificates can be used to authenticate popular email services including Gmail, Yahoo, and MS Office 365.

Certificates are managed from the Security tab > Certificate Management page of the EWS. The Certificate Management page contains the following tabs:

Certificate tab – Use to import, view details, remove, export, and use for e-mailing signing with certificates
Certificate Validation tab – Use to disable or enable validation of Kerberos server certificates with either the OCSP or CDP validation

The printer supports the following import formats for certificates:

.DER (binary)
.CER (binary or Base64)
.PEM (Base64, installs single certificate)
.PFX (identity certificate)
.P7B (CA certificates only)

Create or install certificates

Learn how to create or install security certificates.

Create a new self-signed certificate

Use this feature to create a new, self-signed identity certificate for the printer. A self-signed identity certificate is installed on the printer by default for data-encryption purposes only. Self-signed identity certificates are not accepted for authentication since they are not issued by a trusted Certificate Authority (CA).

Note:

To create an identity certificate signed by a CA, see the following sections on creating a certificate signing request (CSR) and installing an identity certificate from a CSR.

Creating a new, self-signed certificate overwrites and replaces the existing self-signed certificate on the printer.

Using the top navigation tabs, click Security.
In the left navigation pane, click Certificate Management.
Click Create... in the Create New Self-Signed Certificate area.
Enter the identifying information for the printer in the Identifying Information area.
Select an encryption key length in the RSA Key Length: drop-down menu in the Key Options area.

Note:
If the Trusted Platform Module (TPM) is installed, the private key may be marked as exportable. However, if Mark private key as exportable is selected, the private key will not be generated on the TPM.
Select a signature algorithm from the Signature Algorithm drop-down menu in the Signature Algorithm area.
Enter the validity period for the certificate in the Certificate Validity area. The default validity period is five years from the system date at creation time.
Click OK to go to the new, self-signed certification confirmation page. To return to the main Certificates page without updating the current, signed certificate, click Cancel.

Create a certificate signing request

Use the following steps to create a certificate signing request.

Using the top navigation tabs, click Security.
In the left navigation pane, click Certificate Management.
Click Create... in the Create Certificate Signing Request area.
Enter the identifying information for the organization to which the certificate will be issued in the Identifying Information area.
Select an encryption key length for the requested certificate in the RSA Key Length: drop-down menu in the Key Options area.

Note:
If the Trusted Platform Module (TPM) is installed, the private key may be marked as exportable. However, if Mark private key as exportable is selected, the private key will not be generated on the TPM.
Select a signature algorithm for the requested certificate from the Signature Algorithm drop-down menu in the Signature Algorithm area.
Click OK to proceed to the Create Certificate Signing Request confirmation page.
Copy, or save to a file, the contents of the certificate signing request on the Create Certificate Signing Request confirmation page. The contents of the certificate signing request must be presented to a CA to complete the request process.

Install an identity certificate

Use this to install an identity certificate created from a CSR.

Using the top navigation tabs, click Security.
In the left navigation pane, click Certificate Management.
Select Install Identity Certificate from CSR.
Click Browse next to the Choose File field.
Locate the certificate for import, and then click Open.
Click Install.

Import an identity certificate

Use the following steps to import an identity certificate.

Using the top navigation tabs, click Security.
In the left navigation pane, click Certificate Management.
Select Import Identity Certificate with Private Key.

Note:
If Trusted Platform Module (TPM) is installed, HP recommends creating and using a certificate signed by a CA.
Click Browse next to the Choose File field.
Locate the certificate for import, and then click Open.
Click Install.

Install a certificate

Use the following steps to install a certificate.

In the left navigation pane, click Certificate Management.
Click Browse next to the Choose File field.
Locate the certificate for import, and then click Open.

Note:
Identity type certificates, as well as Certificate Authority type certificates, are valid types for importation and use with this printer.
If the certificate has a private key (for example, a .pfx file), enter the password for the certificate in the Certificate Password field. Use the same password used to encrypt the private key.
Click Import.

Configure the certificate validation settings

Use the following information to configure the certificate validation settings in the EWS.

Configure OCSP certificate validation

Use the following steps to set up OCSP certificate validation.

Note:

Certificates might need to be installed in the Certificates tab for the OCSP servers.

Using the top navigation tabs, click Security.
In the left navigation pane, click Certificate Management.
Click the Certificate Validation tab of the Certificate Management page.
Select the Perform OCSP Validation on the certificate trust chain option on the Certificate Validation tab.
Enter a URL for an OCSP server, and then click Add.

Note:
Multiple OCSP servers can be added for certificate validation. The URLs for the OCSP server(s) might be fully-qualified domain names or IP addresses.
Select the Treat Unknown certificate status as valid check box, if necessary.
Click Apply to save the settings.

Configure CDP certificate validation

Use the following steps to configure CDP certificate validation.

Using the top navigation tabs, click Security.
In the left navigation pane, click Certificate Management.
Click the Certificate Validation tab of the Certificate Management page.
Select the Perform CDP Validation on the certificate trust chain option on the Certificate Validation.
Click Apply to save the settings.

Manage security certificates

Use the following information to manage security certificates using the EWS.

Introduction

Use the Certificate Management page to manage certificates for identification of the printer on a network and to encrypt data used by the printer.

Certificates are managed from the Security tab > Certificate Management page of the EWS. The Certificate Management page contains the following tabs:

Certificate tab – Use to import, view details, remove, export, and use for e-mailing signing with certificates
Certificate Validation tab – Use to disable or enable validation of Kerberos server certificates with either the OCSP or CDP validation

The printer supports the following import formats for certificates:

.DER (binary)
.CER (binary or Base64)
.PEM (Base64, installs single certificate)
.PFX (identity certificate)
.P7B (CA certificates only)

Manage the installed security certificates

Refer to the following information to manage the installed security certificates using the EWS.

Note:

The following procedures may also be performed from the Authorization page of the Networking tab.

View the details of a certificate

Use the following steps to view the details of a certificate.

Using the top navigation tabs, click Security.
In the left navigation pane, click Certificate Management.
Select a certificate from the Certificates area.
Click View Details.

Remove a certificate

Use the following steps to remove a certificate.

Using the top navigation tabs, click Security.
In the left navigation pane, click Certificate Management.
Select a certificate from the Certificates area.
Click Remove....
Confirm the removal operation in the warning dialog box that displays.

Export a certificate

Use the following steps to export an identity certificate.

Using the top navigation tabs, click Security.
In the left navigation pane, click Certificate Management.
Select a certificate from the Certificates area.
Click Export... .

When exporting an identity certificate on printers with firmware earlier than v23.4 using the Security > Certificate Management area, only the public key is exported. A private key can be exported with a certificate on printers with firmware earlier than v23.4 from the Networking > Authorization area.

When exporting an identity certificate on printers with firmware v23.4 or later, note the following:

Only the public key can be exported for TPM-protected private keys.
Private keys (for identity certificates) marked as exportable during import or generation require a password to be set when exporting.

Use a certificate for email and network identity

Use the following steps to use a certificate for email signing.

Using the top navigation tabs, click Security.
In the left navigation pane, click Certificate Management.
Select the certificate from the Certificates area.
Click Use for E-mail Signing.

Note:
If Use for E-mail Signing is grayed out, the selected certificate cannot be used for email signing or is already selected for email signing.

Manage the installed remote app certificates

Learn how to manage the installed remote app certificates.

The Manage Remote Apps page is available only for printers that have FutureSmart 4 with firmware version 4.5 or later. Use the Manage Remote Apps page to install and manage the certificates for the remote apps that are available on mobile devices. When a certificate is installed, the remote app is added to a whitelist that allows it to be used on the printer.

The printer supports the following import formats for certificates:

.DER (binary)
.CER (binary or Base64)
.PEM (Base64, installs single certificate)

View the details of a remote app certificate

Use the following steps to view the details of a remote app certificate.

Using the top navigation tabs, click Security.
In the left navigation pane, click Manage Remote Apps.
Select a certificate from the Registered Remote App Certificates area.
Click View Details.

Remove a certificate

Use the following steps to remove a certificate.

Using the top navigation tabs, click Security.
In the left navigation pane, click Manage Remote Apps.
Select a certificate from the Registered Remote App Certificates area.
Click Remove....
Confirm the removal operation in the Confirmation Page that appears by clicking the Delete button.

Export a certificate

Use the following steps to export a certificate.

Using the top navigation tabs, click Security.
In the left navigation pane, click Certificate Management.
Select a certificate from the Registered Remote App Certificates area.
Click Export....

Additional support options

Try one of our automated tools or diagnostics

Ask a question on our HP Support Community page

Get in touch with one of our support agents

Enter a topic to search our knowledge library

What can we help you with?

Need Help?