SSL: Using OpenSSL

In this guide, we'll go through the process of importing an existing OpenSSL based certificate into EveryonePrint consisting of a certificate file .cer (Security Certificate) and a private key file .key (KEY File).

Resolution:

The process consists of 3 steps:

1. Import chain certificates
2. Create the new Keystore
3. Test the SSL connectivity

1. Import Chain Certificates:

Double-click the .cer file and confirm the chain of certificates all the way from root to end certificate, which must say, "This certificate is OK".

In order to import the chain of certificates into an SSL keystore for use in EveryonePrint, each certificate in the chain must be saved to a file.

Select the root certificate, click View Certificate, Details, and Copy to File.

Choose the format Base-64 encoded X.509 (.CER).

And save this top certificate as cert-1.cer.

Repeat this for the other intermediate certificates in the chain.

Save as cert-2, cert-3 and so on.

Repeat this for other intermediate certificates. Since the end certificate is already a .cer file, there is no need to copy this to the file.

In this example, we'll end up with 4 separate .cer files and the .key file.

2. Create the New Keystore

Open Keystore Explorer and Create a new Keystore file of the JKS type.

Choose to first Import Key Pair and choose the type OpenSSL.

The key, in this case, is un-encrypted, so no key decryption password is needed, however, most often, private keys are encrypted and password protected.

Choose the original .key and .cer file of the end certificate.

Enter alias that matches the "common name" or fully qualified domain of the certificate.

Enter a key password of your choice (this is used later when adding keystore to EveryonePrint).

Right-click the certificate entry and choose Append to Certificate Chain.

And now we'll append all the previous intermediate certificates, starting from the "bottom" all the way up to the root, ie.
Start with cert-3.cer and append each one up to cert-1.cer.

When all intermediate and root certificate files have been appended, right-click the certificate and choose View Details -> Certificate Chain Details.

Confirm that the chain is established, identical to the original certificate, when opened directly in Windows.

When ready, save the keystore, and enter a keystore password. In this example, the password "password" was chosen for both the private key and keystore password.

Save the keystore file to the EveryonePrint etc folder, by default in:  C:\Program Files (x86)\EveryonePrint\etc\.

In the \etc folder, open the file called jetty-ssl.xml and change the keystore entries to use our new keystore file, and enter passwords in 3 places.

While we're here, we're also changing from the default 9443 port to standard https port 443, so end users can enter a URL in their browser without specifying the port.

3. Test the SSL Connectivity

Now you should be able to confirm the working certificate in the browser.

If the Web interface is inaccessible, any Web server-related errors are logged to the file:

C:\Program Files (x86)\EveryonePrint\logs\eopwebservice.log