Cloud Inventory® Documentation

send feedback

❮ Previous Next ❯

Best practice for configuring EPP to run in secure mode within EPP

Prerequisite: EPP must be installed. For more information, refer to Install EPP on a Windows system or Install the EPP Bridge Application on a Linux machine.

To configure EPP to run in secure mode from inside the application, complete the following steps.

Log in to EPP and go to Admin > System Configuration > Certificate Management.
In the Certificate Management dialog, select the dsiprint certificate, and then select Remove Certificate.
In the Confirm Certificate Removal dialog, select Yes.
Go to the DSIPrint\bin directory, open certVars.bat and; in an editor, add applicable certificate values.

Step Information

Note:DSI does not provide certificate values. You must create certificate values applicable to your particular organization.
1. For SET DOMAIN, enter the domain you want the certificate to apply to.
  
  Example
  Example: SET DOMAIN=epp-user-test.eastus.cloudapp.azure.com
  
  Step Information
  
  Note:The domain must be the fully qualified domain name (FQDN) of the server.
2. For SET ORGANIZATIONAL_UNIT, enter the name of the organizational unit.
  
  Example
  Example: SET ORGANIZATIONAL_UNIT=IT
3. For SET ORGANIZATION, enter the name of the organization.
  
  Example
  Example: SET ORGANIZATION=DSI
4. For SET CITY, enter the name of the city where the organization is located.
  
  Example
  Example: SET CITY=Kansas City
5. For SET STATE_OR_PROVINCE, enter the state or province where the organization is located.
  
  Example
  Example: SET STATE_OR_PROVINCE=Missouri
6. For SET COUNTRY_CODE, enter the country where the organization is located.
  
  Example
  Example: SET COUNTRY_CODE=US
7. If you are attempting to run EPP on a Chrome browser, for SET SUBJECT_ALTERNATIVE_NAME, enter the subject alternative name for the domain.
  
  Example
  Example: SET SUBJECT_ALTERNATIVE_NAME=dns:epp-user-test.eastus.cloudapp.azure.com
  Note:This domain name must be the exact same as the value you entered in the SET DOMAIN field.
8. Select Save and close the editor.
From an Administrator command prompt, in DSIPrint\bin, run the addCertificate.bat script.
Expected Result
Results:
The certificate signing request (CSR) file is created. Example: DSIPrint\conf\certificates\certeq.csr

A 2048-bit RSA private key and a self-signed public key certificate are added with alias dsiprint.
Note:

The public key is certified by your certificate signing authority and the cert is loaded into EPP. The public key certificate is chained to the private key for the server.

These two keys are not stored in the file system. dsiprint appears in the Cert Management window in EPP and contains the appropriate time stamp.

EPP uses the certificate in the keystore to generate the Certificate Signing Request (CSR).
Go to DSIPrint\conf\certificates and copy the certreq.csr.
Send the certreq.csr file to your certificate authority (which can be internal or a third party, depending on your organization) and request a certificate and signed reply.
After you receive a p7b certificate file from your Certificate Authority, open the file, go to Certificates and extract each of the certificates that are chained together in the file.
For each certificate, right-click and select All Tasks > Export.
In the Certificate Export Wizard dialog, select Next and complete the following substeps.
1. Ensure DER encoded binary x.509 (.CER) is selected and select Next.
2. For File name, enter a name for the certificate you want to export.
  
  Step Information
  
  Note:Take note of the fully qualified path where the files are stored. This path is necessary for finding the files in the following steps.
3. Repeat these steps for each certificate you want to export.
4. Select Finish.
Optional. To verify the certificate is in the required DER format, or to convert a certificate to DER, use openssl to complete the following substeps.
1. Open a command prompt and change the directory to the location where the certificate can be found.
2. Run the openssl x509 -in nameOfRootCert.crt -inform der -text -noout and openssl x509 -in nameOfSigneReply.crt inform der-text -noout commands.
  
  Step Information
  
  Note:If the contents of the certificate are not written to the console, the certificate is not in DER format and must be converted to DER.
3. To convert certificates to DER format, run the following commands. openssl x509 -in nameOfRootCert.crt -inform pem -outform der -out nameOfRootCert-der.cer and openssl x509 -in gd_bundle-g2-g1.cer -inform pem -outform der -out gd bundle-g2-g1-der.cer commands.
4. To verify the converted files and output them to the console, run the openssl x509 -in nameOfRootCert.crt -inform der -text -noout and openssl x509 -in nameOfSigneReply.crt inform der-text -noout commands.
With all certificates in DER format, in EPP, go to Admin > System Config > Certificate Management.
Upload the root certificate with an alias that is not equal to dsiprint.

Example
Example: dsiprint-root.

Step Information

Important: The root certificate must contain the dsiprint prefix shown in the example. If the root certificate does not contain the prefix, the chain does not build correctly, and an error displays when you attempt to upload the signed reply.
If required, upload the intermediate certificate with an alias that is not equal to dsiprint or dsiprint-root.

Example
Example: dsiprint-interm.

Step Information

Important:The intermediate certificate must contain the dsiprint prefix shown in the example. If the intermediate certificate does not contain the prefix, the chain will not build correctly, and you will receive an error when you attempt to upload the signed reply.
Upload the signed certificate reply with an alias equal to dsiprint.
When you are prompted to confirm that you want to overwrite the existing certificate, select <Yes>.

Expected Result
Result: The key pair certificate and the signed certificate reply are chained together.
To verify that you are in secure mode, go to Admin > System Config > Web Server Settings and enable the HTTPS Port checkbox with the port number you selected during the installation procedure.

Step Information

Note:The default port number is 9443.
Log out of EPP and restart the EPP service.
Optional. If the browser does not trust your certificate, you can add certificates signed by your CA to the Certificate Manager for each browser. To add certificates to a browser, complete the following substeps.
1. In Chrome, go to Settings > Advanced > Manage Certificates, and add the certificate.
2. In Firefox, go to Settings > Privacy & Security > Certificates > View Certificates > Authorities and import the certificate.
Go to the login page.

Expected Result
Result: The site immediately redirects to the HTTPS port and indicates that the site is secure.

There was a problem loading this topic

Enterprise Printing Platform

Best practice for configuring EPP to run in secure mode within EPP