Install Security Certificates
- Product support for
- AltaLink B8145 / B8155 / B8170 Multifunction Printer
- Article ID
- KB0029015
- Published
- 2021-11-01
Note: You should be a System Administrator to perform this solution as it requires knowledge of and access to your network servers.
Read the Security Certificate Overview section before attempting to configure a certificate then select the required section(s).
Install the Device Root Certificate Authority onto a Personal Computer
Install the Device Root Certificate Authority onto Multiple Computers or Servers
Security Certificate Overview
A digital certificate is a file that contains data used to verify the identity of the client or server in a network transaction. A certificate also contains a public key used to create and verify digital signatures. To prove identity to another device, a device presents a certificate trusted by the other device. The device can also present a certificate signed by a trusted third party and a digital signature proving that it owns the certificate.
A digital certificate includes the following data:
Information about the owner of the certificate
The certificate serial number and expiration date
The name and digital signature of the certificate authority (CA) that issued the certificate
A public key
A purpose defining how the certificate and public key can be used
There are four types of certificates:
A Device Certificate is a certificate for which the printer has a private key. The purpose specified in the certificate allows it to be used to prove identity.
A CA Certificate is a certificate with authority to sign other certificates.
A Trusted Certificate is a self-signed certificate from another device that you want to trust.
A domain controller certificate is a self-signed certificate for a domain controller in your network. Domain controller certificates are used to verify the identity of a user when the user logs in to the printer using a Smart Card.
Install Certificates
To ensure that the printer can communicate with other devices over a secure trusted connection, both devices must have specific certificates installed.
For protocols such as HTTPS, the printer is the server, and must prove its identity to the client Web browser. For protocols such as 802.1X, the printer is the client, and must prove its identity to the authentication server, typically a RADIUS server.
For features that use these protocols, perform the following tasks:
Install a device certificate on the printer.
Note: When the printer uses HTTPS, a Xerox Device Certificate is created and installed on the printer automatically.Install a copy of the CA certificate that was used to sign the device certificate of the printer on the other device.
Protocols such as LDAP and IPsec require both devices to prove their identity to each other.
For features that use these protocols, perform the tasks listed under one of the following options:
To install certificates, option 1:
Install a device certificate on the printer.
Install a copy of the CA certificate that was used to sign the device certificate of the printer on the other device.
Install a copy of the CA certificate that was used to sign the certificate of the other device on the printer.
To install certificates, option 2:
If the other device is using a self-signed certificate, install a copy of the trusted certificate of the other device on the printer.
Create and Install a Xerox Device Certificate
If you do not have a server functioning as a certificate authority, install a Xerox Device Certificate on the printer. When you create a Xerox Device Certificate, the printer generates a certificate, signs it, and creates a public key used in SSL encryption.
After you install a Xerox Device Certificate on the printer, install the Device Root Certificate Authority in any device that communicates with the printer. Examples of other devices include client Web browsers for HTTPS or a RADIUS authentication server for 802.1X.
When the Device Root Certificate Authority is installed:
Users can access the printer using the Embedded Web Server
Certificate warning messages do not appear
Note: Creating a Xerox Device Certificate is less secure than creating a certificate signed by a trusted certificate authority.
Access the Embedded Web Server and login as a System Administrator.
In the Embedded Web Server, click Properties > Security.
Click Certificates > Security Certificates.
Click the Xerox Device Certificate tab.
Select Create New Xerox Device Certificate.
Complete the fields for 2 Letter Country Code, State/Province Name, Locality Name, Organization Name, Organization Unit, Common Name, and Email Address.
For MS Universal Principal Name, type a user name as needed.
Note: The MS Universal Principal Name is required when using 802.1X EAP-TLS for Windows clients or servers.Type the number of days of validityComplete the form with the requested information.
Click Finish.
Continue with the next section if required. When you have finished, logout of System Administrator mode.
Install the Device Root Certificate Authority:
If the device uses the Xerox Device Certificate, and users attempt to access the device using the Embedded Web Server, an error message can appear in their Web browser. To ensure that error messages do not appear, in the Web browsers of all users, install the Device Root Certificate Authority.
Note: Each browser provides a method of temporarily overriding the untrusted certificate warning when connecting to a Xerox device Web page. This exception process may not work in some browsers when using the Remote Control Panel. The browser may appear unable to connect to the Remote Control Panel for the device. Some browsers can fail to connect to the device Remote Control Panel. To resolve this issue, install the device certificate.
Install the Device Root Certificate Authority onto a Personal Computer
In the Embedded Web Server, click Properties > Security.
Click Certificates.
Click Security Certificates.
To save the file to your computer, click Download the Device Root Certificate Authority.
Install the file in your Web browser certificate store location. For details, refer to your Web browser help.
Note:Windows users: Install the certificate in each browser that is used to connect to a Xerox device.
Mac users: Install the certificate using the KeyChain application.
You can download the Device Root Certificate Authority from the HTTP page at Properties > Connectivity > Protocols > HTTP.
Continue with the next section if required. When you have finished, logout of System Administrator mode.
Install the Device Root Certificate Authority onto Multiple Computers or Servers
To install a Device Root Certificate Authority to multiple computers using an application:
Contact your IT department about the method for updating multiple browsers or operating systems simultaneously.
Download the Device Root Certificate Authority from the Security Certificates page in the Embedded Web Server.
In the Embedded Web Server, click Properties > Security.
Click Certificates.
Click Security Certificates.
Click Download the Device Root Certificate Authority.
Send the certificate to your IT department for distribution.
Continue with the next section if required. When you have finished, logout of System Administrator mode.
Configure a Chain Of Trust for an Organization
Contact your IT department about the method for obtaining a Certificate Signing Request (CSR). A CSR is needed for each device that is signed by the root certificate for your organization.
Download aCSR from the Security Certificates page in the Embedded Web Server.
In the Embedded Web Server, click Properties > Security.
Click Certificates.
Click Security Certificates.
Click Create Certificate Signing Request (CSR).
On the Create Certificate Signing Request (CSR) page, type information and make selections, as needed.
Click Finish.
Process the CSR using the certificate signing server for your IT department.
Install the resulting signed device certificate onto each Xerox device.
Continue with the next section if required. When you have finished, logout of System Administrator mode.
Create a Certificate Signing Request
If you do not install a Xerox Device Certificate, you can install a CA-signed device certificate. Create a Certificate Signing Request (CSR), and send it to a CA or a local server functioning as a CA to sign the CSR. An example of a server functioning as a certificate authority is Windows Server 2008 running Certificate Services. When the CA returns the signed certificate, install it on the printer.
In the Embedded Web Server, click Properties > Security.
Click Certificates > Security Certificates.
Click the CA-Signed Device Certificate(s) tab.
Select Create Certificate Signing Request (CSR).
Complete the form with your 2-Letter Country Code, State/Province Name, Locality Name, Organization Name, Organization Unit, and Email Address.
For MS Universal Principal Name, type a user name as needed.
Note: The MS Universal Principal Name is required when using 802.1X EAP-TLS for Windows clients or servers.For Key Algorithm, select an option.
Click Finish.
Continue with the next section if required. When you have finished, logout of System Administrator mode.
Upload a CA-Signed Device Certificate
In the Embedded Web Server, click Properties > Security.
Click Certificates.
Click Security Certificates.
Click the CA-Signed Device Certificate(s) tab.
Select Install Certificate.
Click Browse or Choose File, then navigate to the signed certificate in .pem or PKCS#12 format.
Click Open or Choose.
Click Next.
If the certificate is password protected, type the password, then retype it to verify.
To help identify the certificate in the future, type a Friendly Name.
Click Next.
Note:The signed certificate can match a pending CSR created by the device.
The signed certificate can be a PKCS#12 certificate generated by a Certificate Authority.
Continue with the next section if required. When you have finished, logout of System Administrator mode.
Install Root Certificates
You can install the certificates for the root certificate authority and any intermediate certificate authorities for your company. You can install the self-signed certificates from any other devices on your network.
Supported certificate encodings and typical file extensions include:
Distinguished Encoding Rules (.cer, .crt, .der)
Privacy Enhanced Mode/Base64 (.pem)
PKCS#7 (.p7b)
PKCS#12 (.pfx, .p12)
Note: To import a CA-Signed Device Certificate, use the PKCS#12 format.
To install a root certificate:
In the Embedded Web Server, click Properties > Security.
Click Certificates.
Click Security Certificates.
Click the Root/Intermediate Trusted Certificate(s) tab.
Click Install Certificate.
Click Browse or Choose File, then navigate to a signed certificate file.
Click Open or Choose.
Click Next.
To help identify the certificate in the future, type a Friendly Name.
Click Next. The digital certificate appears in the list of Installed certificates.
Continue with the next section if required. When you have finished, logout of System Administrator mode.
Install Domain Controller Certificates
You can install the self-signed certificates from any domain controllers on your network.
Supported certificate encodings and typical file extensions include:
Distinguished Encoding Rules (.cer, .crt, .der)
Privacy Enhanced Mode/Base64 (.pem)
PKCS#12 (.pfx, .p12)
Note: To import a CA-Signed Device Certificate, use the PKCS#12 format.
To install a domain controller certificate:
In the Embedded Web Server, click Properties > Security.
Click Certificates.
Click Security Certificates.
Click the Domain Controller Certificate(s) tab.
Click Install Certificate.
Click Browse or Choose File, then navigate to a signed certificate file.
Click Open or Choose.
Click Next.
To help identify the certificate in the future, type a Friendly Name.
Click Next. The digital certificate appears in the list of Installed certificates.
Continue with the next section if required. When you have finished, logout of System Administrator mode.
View, Save, or Delete a Certificate
Use the View/Save Certificates page to view or save security certificates that are installed on your Xerox device. To help prevent certificate errors and warnings, review certificate properties for accuracy. Some common property attributes include the following:
Chain of trust: To determine the CA that can establish a chain of trust for the certificate, view the issuer information.
Validity date: To ensure that the certificate is not expired, or otherwise outside of the validity date range, verify the validity dates.
Name and IP addresses: To ensure that the name and IP addresses correspond to the expected values, verify the details for Subject and Subject Alternative Name.
Security attributes: To ensure that the certificate meets the security requirements for its intended use, verify the details for Signature Algorithm and Subject Public Key Info.
Certificate purpose and usage: To ensure that the potential uses of the certificate can be supported, verify the details for Key Usage and Extended Key Usage.
To view, save, or delete a certificate, do the following:
On the Security Certificates page, click a certificate type tab.
To view or save a certificate, for Action, click View/Export. Certificate details appear on the View/Save Certificate page.
To save the certificate file to your computer, click Export (Base-64 encoded-PEM).
To return to the Security Certificates page, click Close.
To delete a certificate, next to the certificate name, select the check box, then click Delete Selected.
Note: You cannot delete the Default Xerox Device Certificate.
If the device uses the Xerox Device Certificate, and users attempt to access the device using the Embedded Web Server, an error message can appear in their Web browser. To ensure that error messages do not appear, in the Web browsers for all users, install the Device Root Certificate Authority.
Specify the Minimum Certificate Key Length
All RSA and ECDSA certificates that your Xerox device uses for encryption need to meet the minimum key-length requirements for the device.
Note: The Elliptic Curve Data Signature Algorithm (ECDSA) and RSA are independent algorithms used in encryption. If you install a certificate that uses ECDSA, it is validated against the ECDSA key-length requirements. If you install a certificate that uses RSA, it is validated against the RSA key-length requirements.
The minimum key lengths apply to the following certificates:
Existing security certificates installed on your device. For details, refer to Security Certificates.
Security certificates imported to your device at a future time.
Security certificates that originate from other sources. For example, certificates used by smart card and email encryption.
Notes:
When you import new certificates to your device, the certificate key lengths are validated against the minimum requirements. Certificates with key lengths that are less than the minimum key-length requirements are not installed.
If you attempt to change a minimum key-length setting to a value that invalidates an installed certificate, the change is rejected.
Before you change the key-length setting, remove any noncompliant certificates.
To set certificate key lengths:
In the Embedded Web Server, click Properties > Security.
Click Certificates > Certificate Key Length.
For Minimum RSA Encryption Key Length, select an option:
No Minimum
1024-bit
2048-bit*: This option is the default setting. This setting is FIPS with Common Criteria compliant.
4096-bit
Note: If FIPS with Common Criteria compliance is enabled completely, options less than 2048 bits are not available.
For Minimum ECDSA Encryption Key Length, select 256-bit* or 384-bit*. The default setting is 256-bit*. Both settings are FIPS with Common Criteria compliant.
Click Apply.
