When you import CA-signed or third-party certificates into iPrint Appliance using the Management Console, the Apache service continues to use the old certificates.
To work around this issue, you must manually replace the certificates. Ensure that the certificate you want to replace is in the .crt format, and that you have the .key file. If you have the certificate in a different format, (for example, .pfx, .p12, or .pem), you must extract, or convert them to .crt and .key formats. You might also have a third file (intermediate CA certificate) also in .crt format.
NOTE:If you have a .pfx file you must first extract the .crt and .key files. To learn how to extract these files, see Section 16.16.1, Extracting Certificates and Key From PFX File. After you have extracted the files, follow the procedure below.
Login to iPrint Appliance using SSH.
Navigate to the /vastorage/conf/certs/ directory.
Backup the existing certificate files to a backup directory by using the mv command.
Ensure that you move all the files. The files include vaserver.*, keystore, and keystoredb. Keystoredb may not always exist.
Copy all certificates, and the key file (.crt and .key) to the /vastorage/conf/certs/ directory by using the command scp, or the winscp application.
If you have extracted the files from a .pfx file, and have the .crt and .key files stored in the appliance, copy the files using the cp command.
Rename the .crt file to vaserver.crt.
Rename the .key file to vaserver.key.
Rename the intermediate CA certificate file to CACert.crt.
Convert the certificates and the key file to .pfx format so that it can be imported to the Java keystore.
Run the command openssl pkcs12 -export -out vaserver.pfx -inkey vaserver.key -in vaserver.crt -certfile CACert.crt.
When prompted for a pass phrase for vaserver.key, specify the pass phrase that you used while generating the key.
When prompted for the export password, specify changeit.
Verify the export password by specifying changeit.
Import the .pfx file to keystore.
Run the command keytool -importkeystore -srckeystore vaserver.pfx -srcstoretype pkcs12 -destkeystore keystore.
For all the prompts that follow, specify changeit.
In the file /etc/apache2/vhosts.d/vhost-ssl.conf, search for SSLCertificateChainFile.
Uncomment the line #SSLCertificateChainFile /etc/apache2/ssl.crt/ca.crt. by removing the #.
Modify the path to the location of the CACert.crt file. For example, SSLCertificateChainFile /vastorage/conf/certs/CACert.crt.
Save and close the vhost-ssl.conf file.
Edit the /etc/ssl/servercerts/passphrase.sh file, then add the key pass phrase.
Replace the string changeit, with the pass phrase that you used while generating the key.
Restart apache using the command rcapache2 restart.
Restart jetty using the command rcnovell-jetty restart.
Copy the .pfx file to any location on iPrint Appliance by using the command scp, or the winscp application.
Extract the certificate file from the .pfx file by using the command openssl pkcs12 -in <file_path.pfx> -clcerts -nokeys -out vaserver.crt.
Extract the key file from the .pfx file by using the command openssl pkcs12 -in <file_path.pfx> -nocerts -nodes -out vaserver.key.
Extract the CA certificate from the .pfx file by using the command openssl pkcs12 -in <file_path.pfx> -nodes -nokeys -cacerts -out CACert.crt.