Skip to main content Click to view our Accessibility Statement or contact us with accessibility-related questions.

Install a Digital Certificate on the Printer Using CentreWare Internet Services (CWIS)

Product support for: WorkCentre 7220/7225

Article Id: 1242576 | Published: 01/19/2016

A digital certificate is a file that contains data used to verify the identity of the client or server in a network transaction. A certificate also contains a public key used to create and verify digital signatures.

One device proves its identity to another by presenting a certificate trusted by the other device. Or, the device can present a certificate signed by a trusted third party and a digital signature proving its ownership of the certificate.

A digital certificate includes the following data:

  • Information about the owner of the certificate
  • The certificate serial number and expiration date
  • The name and digital signature of the certificate authority (CA) that issued the certificate
  • A public key
  • A purpose defining how the certificate and public key can be used

There are three types of certificates:

  • A Device Certificate is a certificate for which the printer has a private key. The purpose specified in the certificate allows it to be used to prove identity.
  • A CA Certificate is a certificate with authority to sign other certificates.
  • A Trusted Certificate is a self-signed certificate from another device that is trusted.

This solution provides information on how to:
Installing Certificates
Creating and Installing a Xerox Device Certificate
Installing the Generic Xerox Trusted CA Certificate
Creating a Certificate Signing Request
Uploading a CA-Signed Device Certificate
Installing Root Certificates
Installing Domain Controller Certificates

Installing Certificates

To make sure that the printer can communicate with other devices over a secure trusted connection, both devices must have specific certificates installed.

For protocols such as HTTPS, the printer is the server, and must prove its identity to the client Web browser. For protocols such as 802.1X, the printer is the client, and must prove its identity to the authentication server, typically a RADIUS server.

For features that use these protocols, perform the following tasks:

  1. Install a device certificate on the printer.

    NOTE: When the printer uses HTTPS, a Xerox Device Certificate is created and installed on the printer automatically.

  2. Install a copy of the CA certificate that was used to sign the device certificate of the printer on the other device.

    NOTE: Protocols such as LDAP and IPsec require both devices to prove their identity to each other.

For features that use these protocols, perform the tasks listed under one of the following options:

To install certificates, option 1:

  1. Install a device certificate on the printer.
  2. Install a copy of the CA certificate that was used to sign the device certificate of the printer on the other device.
  3. Install a copy of the CA certificate that was used to sign the certificate of the other device on the printer.

To install certificates, option 2:

If the other device is using a self-signed certificate, install a copy of the trusted certificate of the other device on the printer.

Creating and Installing a Xerox Device Certificate

If there is not a server functioning as a certificate authority, install a Xerox Device Certificate (XDC) on the printer. When creating a XDC the printer generates a certificate, signs it, and creates a public key used in SSL encryption. After installing a XDC on the printer, install the Generic Xerox Trusted CA Certificate in any device that communicates with the printer.

Examples of other devices include client Web browsers for HTTPS or a RADIUS authentication server for 802.1X. Installing the Generic Xerox Trusted CA Certificate ensures that users can access the printer using CWIS, and certificate warning messages do not appear.

NOTE: Creating a XDC is less secure than creating a certificate signed by a trusted certificate authority.

  1. Open CWIS. See the Related Content for additional information.
  2. Click on [Properties] at the top of the page.
  3. Click on [Security] on the left side of the page to expand the list of options.
  4. Click [Certificates].
  5. Click [Security Certificates].
  6. Click the [Xerox Device Certificate] tab.
  7. Select [Create New Xerox Device Certificate] button.
  8. Complete the form with the requested information.
  9. Click [Finish].

Installing the Generic Xerox Trusted CA Certificate:

If the printer uses the XDC, and a user attempts to access the printer using CWIS, an error message can appear in their Web browser. To make sure that error messages do not appear, install the Generic Xerox Trusted CA Certificate in the Web browsers of all users.

  1. Open CWIS. See the Related Content for additional information.
  2. Click on [Properties] at the top of the page.
  3. Click on [Security] on the left side of the page to expand the list of options.
  4. Click [Certificates].
  5. Click [Security Certificates].
  6. Click the [Download the Generic Xerox Trusted CA Certificate] link, under the Note section, to save the file to the computer.

    NOTE: This trusted CA certificate should be downloaded and installed into client device browsers only. It should not be installed into the Xerox device.

  7. Install the file in the Web browser certificate store location. For details, see your Web browser help.

    NOTE: The Generic Xerox Trusted CA Certificate can also be downloaded from the HTTP page.

  8. Click on the [Properties] tab at the top of the page.
  9. Click on [Connectivity] on the left side of the page.
  10. Click on [Setup].
  11. Click on [Edit] to the right of HTTP, under Protocol.

Creating a Certificate Signing Request:

If a XDC is not installed, a CA-signed device certificate can be installed. Create a Certificate Signing Request (CSR), and send it to a CA or a local server functioning as a CA to sign the CSR.

An example of a server functioning as a certificate authority is Windows Server 2008 running Certificate Services. When the CA returns the signed certificate, install it on the printer.

Creating a Certificate Signing Request:

  1. Open CWIS. See the Related Content for additional information.
  2. Click on [Properties] at the top of the page.
  3. Click on [Security] on the left side of the page to expand the list of options.
  4. Click [Certificates].
  5. Click [Security Certificates].
  6. Click the [CA-Signed Device Certificate(s)] tab.
  7. Select the [Create Certificate Signing Request (CSR)] button.
  8. Complete the form with the requested information.
  9. Select the [Subject Alternative Name] check box if applicable, and enter the MS Universal Principal Name.

    NOTE: The Subject Alternative Name is only required when using 802.1X EAP-TLS for Windows clients or servers.

  10. Click [Finish].

Uploading a CA-Signed Device Certificate:

  1. Open CWIS. See the Related Content for additional information.
  2. Click on [Properties] at the top of the page.
  3. Click on [Security] on the left side of the page to expand the list of options.
  4. Click [Certificates].
  5. Click [Security Certificates].
  6. Click the [CA-Signed Device Certificate(s)] tab.
  7. Select the [Install CA-signed Device Certificate] button.
  8. Click [Browse] or [Choose File], navigate to the signed certificate in .pem or PKCS#12 format, and then click [Open] or [Choose].
  9. Click [Next].
  10. If the certificate is password protected, enter the password, and then re-enter to verify.
  11. Enter a Friendly Name to help identify the certificate in the future.
  12. Click [Next].

    NOTE: The signed certificate must match the CSR created by the printer.

Installing Root Certificates:

Install the certificates of the root certificate authority and any intermediate certificate authorities for the company. Install the self-signed certificates from any other devices in your network.

  1. Open CWIS. See the Related Content for additional information.
  2. Click on [Properties] at the top of the page.
  3. Click on [Security] on the left side of the page to expand the list of options.
  4. Click [Certificates].
  5. Click [Security Certificates].
  6. Click the [Root/Intermediate Trusted Certificate(s)] tab.
  7. Click the [Install external Root/Intermediate trusted certificates] button.
  8. Click [Browse] or [Choose File], navigate to the signed certificate .crt file, and then click [Open] or [Choose].
  9. Click [Next].
  10. Enter a Friendly Name to help identify the certificate in the future.
  11. Click [Next]. The digital certificate appears in the list of Installed certificates.

Installing Domain Controller Certificates:

Install the self-signed certificates from any domain controllers in your network.

  1. Open CWIS. See the Related Content for additional information.
  2. Click on [Properties] at the top of the page.
  3. Click on [Security] on the left side of the page to expand the list of options.
  4. Click [Certificates].
  5. Click [Security Certificates].
  6. Click the [Domain Controller Certificates] tab.
  7. Click the [Install Domain Controller Certificate] button.
  8. Click [Browse] or [Choose File], navigate to the signed certificate in .pem or PKCS#12 format, and then click [Open] or [Choose].
  9. Click [Next].
  10. Enter a Friendly Name to help identify the certificate in the future.
  11. Click [Next]. The digital certificate appears in the list of Installed certificates.

Related content

Did this help?