Skip to main contentClick to view our Accessibility Statement or contact us with accessibility-related questions.

Install, Save or Delete a Security Certificate

Product support for
AltaLink B8045 / B8055 / B8065 / B8075 / B8090 Multifunction Printer
Article ID
KB0026989
Published
2019-11-05

NOTE: You should be a System Administrator to perform this solution as it requires knowledge of and access to your network servers.  

Read the Security Certificate Overview section before attempting to configure a certificate then select the required section(s).

  

Security Certificate Overview

Install Certificates

Create and Install a Xerox Device Certificate

Install the Device Root Certificate Authority

Install the Device Root Certificate Authority onto a Personal Computer

Install the Device Root Certificate Authority onto Multiple Computers or Servers

Configure a Chain Of Trust for an Organization

Create a Certificate Signing Request

Upload a CA-Signed Device Certificate

Install Root Certificates

Install Domain Controller Certificates

View, Save, or Delete a Certificate

Specify the Minimum Certificate Key Length

Security Certificate Overview

A digital certificate is a file that contains data used to verify the identity of the client or server in a network transaction. A certificate also contains a public key used to create and verify digital signatures. To prove identity to another device, a device presents a certificate trusted by the other device. The device can also present a certificate signed by a trusted third party and a digital signature proving that it owns the certificate.

A digital certificate includes the following data:

  • Information about the owner of the certificate

  • The certificate serial number and expiration date

  • The name and digital signature of the certificate authority (CA) that issued the certificate

  • A public key

  • A purpose defining how the certificate and public key can be used

There are four types of certificates:

  • A Device Certificate is a certificate for which the printer has a private key. The purpose specified in the certificate allows it to be used to prove identity.

  • A CA Certificate is a certificate with authority to sign other certificates.

  • A Trusted Certificate is a self-signed certificate from another device that you want to trust.

  • A domain controller certificate is a self-signed certificate for a domain controller in your network.   Domain controller certificates are used to verify the identity of a user when the user logs in to the printer using a Smart Card.

Return to Top

Install Certificates:

To ensure that the printer can communicate with other devices over a secure trusted connection, both devices must have specific certificates installed.

For protocols such as HTTPS, the printer is the server, and must prove its identity to the client Web browser. For protocols such as 802.1X, the printer is the client, and must prove its identity to the authentication server, typically a RADIUS server.

For features that use these protocols, perform the following tasks:

  • Install a device certificate on the printer. 

    Note: When the printer uses HTTPS, a Xerox Device Certificate is created and installed on the printer automatically.

  • Install a copy of the CA certificate that was used to sign the device certificate of the printer on the other device.

Protocols such as LDAP and IPsec require both devices to prove their identity to each other.

For features that use these protocols, perform the tasks listed under one of the following options:

To install certificates, option 1:

  • Install a device certificate on the printer.

  • Install a copy of the CA certificate that was used to sign the device certificate of the printer on the other device.

  • Install a copy of the CA certificate that was used to sign the certificate of the other device on the printer.

To install certificates, option 2:

If the other device is using a self-signed certificate, install a copy of the trusted certificate of the other device on the printer.

Return to Top

Create and Install a Xerox Device Certificate:

If you do not have a server functioning as a certificate authority, install a Xerox Device Certificate on the printer. When you create a Xerox Device Certificate, the printer generates a certificate, signs it, and creates a public key used in SSL encryption. After you install a Xerox Device Certificate on the printer, install the Device Root Certificate Authority in any device that communicates with the printer. Examples of other devices include client Web browsers for HTTPS or a RADIUS authentication server for 802.1X.

When the Device Root Certificate Authority is installed:

  • Users can access the printer using the Embedded Web Server

  • Certificate warning messages do not appear 

    Note: Creating a Xerox Device Certificate is less secure than creating a certificate signed by a trusted certificate authority.

  1. Login as System Administrator in the Embedded Web Server. For additional information, click on Access the Embedded Web Server as System Administrator.

  2. In the Embedded Web Server, click Properties > Security.

  3. Click Certificates.

  4. Click Security Certificates.

  5. Click the Xerox Device Certificate tab.

  6. Select Create New Xerox Device Certificate.

  7. Complete the form with the requested information.

  8. Click Finish.

  9. Continue with the next section if required. When you have finished, logout of System Administrator mode. For additional information, click on Access the Embedded Web Server as System Administrator.

Return to Top

Install the Device Root Certificate Authority:

If the device uses the Xerox Device Certificate, and users attempt to access the device using the Embedded Web Server, an error message can appear in their Web browser. To ensure that error messages do not appear, in the Web browsers of all users, install the Device Root Certificate Authority.

Note: Each browser provides a method of temporarily overriding the untrusted certificate warning when connecting to a Xerox device Web page. This exception process may not work in some browsers when using the Remote Control Panel. The browser may appear unable to connect to the Remote Control Panel for the device. Some browsers can fail to connect to the device Remote Control Panel. To resolve this issue, install the device certificate.

Return to Top

Install the Device Root Certificate Authority onto a Personal Computer:

  1. Login as System Administrator in the Embedded Web Server, if necessary. For additional information, click on Access the Embedded Web Server as System Administrator.

  2. In the Embedded Web Server, click Properties > Security.

  3. Click Certificates.

  4. Click Security Certificates.

  5. To save the file to your computer, click Download the Device Root Certificate Authority.

  6. Install the file in your Web browser certificate store location. For details, refer to your Web browser help.  

    Note:

    • Windows users: Install the certificate in each browser that is used to connect to a Xerox device.

    • Mac users: Install the certificate using the KeyChain application.

    • You can download the Device Root Certificate Authority from the HTTP page at Properties > Connectivity > Protocols > HTTP.

  7. Continue with the next section if required. When you have finished, logout of System Administrator mode. For additional information, click on Access the Embedded Web Server as System Administrator.

Return to Top

Install the Device Root Certificate Authority onto Multiple Computers or Servers:

To install a Device Root Certificate Authority to multiple computers using an application:

  1. Contact your IT department about the method for updating multiple browsers or operating systems simultaneously.

  2. Download the Device Root Certificate Authority from the Security Certificates page in the Embedded Web Server.

    1. Login as System Administrator in the Embedded Web Server, if necessary. For additional information, click on Access the Embedded Web Server as System Administrator.

    2. In the Embedded Web Server, click Properties > Security.

    3. Click Certificates.

    4. Click Security Certificates.

    5. Click Download the Device Root Certificate Authority.

    6. Continue with the next section if required. When you have finished, logout of System Administrator mode. For additional information, click on Access the Embedded Web Server as System Administrator.

  3. Send the certificate to your IT department for distribution.

Return to Top

Configure a Chain Of Trust for an Organization:

  1. Contact your IT department about the method for obtaining a Certificate Signing Request (CSR). A CSR is needed for each device that is signed by the root certificate for your organization.

  2. Download a CSR from the Security Certificates page in the Embedded Web Server.

    1. Login as System Administrator in the Embedded Web Server, if necessary. For additional information, click on Access the Embedded Web Server as System Administrator.

    2. In the Embedded Web Server, click Properties > Security.

    3. Click Certificates.

    4. Click Security Certificates.

    5. Click Create Certificate Signing Request (CSR).

    6. On the Create Certificate Signing Request (CSR) page, type information and make selections, as needed.

    7. Click Finish.

    8. Continue with the next section if required. When you have finished, logout of System Administrator mode. For additional information, click on Access the Embedded Web Server as System Administrator.

  3. Process the CSR using the certificate signing server for your IT department.

  4. Install the resulting signed device certificate onto each Xerox device.

Return to Top

Create a Certificate Signing Request:

If you do not install a Xerox Device Certificate, you can install a CA-signed device certificate. Create a Certificate Signing Request (CSR), and send it to a CA or a local server functioning as a CA to sign the CSR. An example of a server functioning as a certificate authority is Windows Server 2008 running Certificate Services. When the CA returns the signed certificate, install it on the printer.

  1. Login as System Administrator in the Embedded Web Server, if necessary. For additional information, click on Access the Embedded Web Server as System Administrator.

  2. In the Embedded Web Server, click Properties > Security.

  3. Click Certificates.

  4. Click Security Certificates.

  5. Click the CA-Signed Device Certificate(s) tab.

  6. Select Create Certificate Signing Request (CSR).

  7. Complete the form with your 2-Letter Country Code, State/Province Name, Locality Name, Organization Name, Organization Unit, and Email Address.

  8. Select Subject Alternative Name if applicable, then type the MS Universal Principal Name.

    Note: The Subject Alternative Name is only required when using 802.1XEAP -TLS for Windows clients or servers.

  9. Click Finish.

  10. Continue with the next section if required. When you have finished, logout of System Administrator mode. For additional information, click on Access the Embedded Web Server as System Administrator.

Return to Top

Upload a CA-Signed Device Certificate:

  1. Login as System Administrator in the Embedded Web Server, if necessary. For additional information, click on Access the Embedded Web Server as System Administrator.

  2. In the Embedded Web Server, click Properties > Security.

  3. Click Certificates.

  4. Click Security Certificates.

  5. Click the CA-Signed Device Certificate(s) tab.

  6. Select Install Certificate.

  7. Click Browse or Choose File, then navigate to the signed certificate in .pem or PKCS#12 format.

  8. Click Open or Choose.

  9. Click Next.

  10. If the certificate is password protected, type the password, then retype it to verify.

  11. To help identify the certificate in the future, type a Friendly Name.

  12. Click Next

    Note:

    • The signed certificate can match a pending CSR created by the device.

    • The signed certificate can be a PKCS#12 certificate generated by a Certificate Authority.



  13. Continue with the next section if required. When you have finished, logout of System Administrator mode. For additional information, click on Access the Embedded Web Server as System Administrator.

Return to Top

Install Root Certificates:

You can install the certificates for the root certificate authority and any intermediate certificate authorities for your company. You can install the self-signed certificates from any other devices on your network.

Supported certificate encodings and typical file extensions include:

  • Distinguished Encoding Rules (.cer, .crt, .der)

  • Privacy Enhanced Mode/Base64 (.pem)

  • PKCS#7 (.p7b)

  • PKCS#12 (.pfx, .p12

    Note: To import a CA-Signed Device Certificate, use the PKCS#12 format.

To install a root certificate:

  1. Login as System Administrator in the Embedded Web Server, if necessary. For additional information, click on Access the Embedded Web Server as System Administrator.

  2. In the Embedded Web Server, click Properties > Security.

  3. Click Certificates.

  4. Click Security Certificates.

  5. Click the Root/Intermediate Trusted Certificate(s) tab.

  6. Click Install Certificate.

  7. Click Browse or Choose File, then navigate to a signed certificate file.

  8. Click Open or Choose.

  9. Click Next.

  10. To help identify the certificate in the future, type a Friendly Name.

  11. Click Next. The digital certificate appears in the list of Installed certificates.

  12. Continue with the next section if required. When you have finished, logout of System Administrator mode. For additional information, click on Access the Embedded Web Server as System Administrator.

Return to Top

Install Domain Controller Certificates:

You can install the self-signed certificates from any domain controllers on your network.

Supported certificate encodings and typical file extensions include:

  • Distinguished Encoding Rules (.cer, .crt, .der)

  • Privacy Enhanced Mode/Base64 (.pem)

  • PKCS#12 (.pfx, .p12

    Note: To import a CA-Signed Device Certificate, use the PKCS#12 format.

To install a domain controller certificate:

  1. Login as System Administrator in the Embedded Web Server, if necessary. For additional information, click on Access the Embedded Web Server as System Administrator.

  2. In the Embedded Web Server, click Properties > Security.

  3. Click Certificates.

  4. Click Security Certificates.

  5. Click the Domain Controller Certificate(s) tab.

  6. Click Install Certificate.

  7. Click Browse or Choose File, then navigate to a signed certificate file.

  8. Click Open or Choose.

  9. Click Next.

  10. To help identify the certificate in the future, type a Friendly Name.

  11. Click Next. The digital certificate appears in the list of Installed certificates.

  12. Continue with the next section if required. When you have finished, logout of System Administrator mode. For additional information, click on Access the Embedded Web Server as System Administrator.

Return to Top

View, Save, or Delete a Certificate:

  1. Login as System Administrator in the Embedded Web Server, if necessary. For additional information, click on Access the Embedded Web Server as System Administrator.

  2. On the Security Certificates page, click a certificate type tab.

  3. To view or save a certificate, for Action, click View/Export. Certificate details appear on the View/Save Certificate page.

  4. To save the certificate file to your computer, click Export (Base-64 encoded-PEM).

  5. To return to the Security Certificates page, click Close.

  6. To delete a certificate, next to the certificate name, select the check box, then click Delete Selected

    Note: You cannot delete the Default Xerox Device Certificate.

  7. To delete all certificates except for the Default Xerox Device Certificate, click Reset to Machine/Device Factory Defaults.

  8. Continue with the next section if required. When you have finished, logout of System Administrator mode. For additional information, click on Access the Embedded Web Server as System Administrator.

Return to Top

Specify the Minimum Certificate Key Length:

You can specify the minimum RSA encryption key length required for certificates. If a user attempts to upload a certificate that contains an RSA key that does not meet this requirement, a message appears. The message alerts the user that the certificate does not meet the key length requirement.

If you are using certificates with a smart card, ensure that the settings on the device do not cause issues with the smart card. For example, if your smart card uses 1024-bit RSA certificates, do not specify a minimum of 2048 on the device.

  1. Login as System Administrator in the Embedded Web Server, if necessary. For additional information, click on Access the Embedded Web Server as System Administrator.

  2. In the Embedded Web Server, click Properties > Security.

  3. Click Certificates > Certificate Key Length.

  4. For Minimum RSA Encryption Key Length, select 1024-bit minimum, 2048-bit minimum, or No Minimum.

  5. Click Apply.

  6. Logout of System Administrator mode. For additional information, click on Access the Embedded Web Server as System Administrator.

Return to Top