Can I use a self-signed certificate with PrinterOn Enterprise? - c06361140

This article is to remind everyone, and ultimately kick off the process, of instituting some new security practices for PrinterOn Enterprise on-premise deployments.

Summary of change

Going forward, PrinterOn client software, including mobile apps, PrintWhere as well as PDS and PDG will no longer support self-signed certificates by default. And will require performing some additional steps by the administrator and user. In this era of internet communication and security breaches, saying the “bridge is secure” is not enough, we need to also guarantee that the on ramp and off ramp to that bridge is secure as well, that is the new standard.

Who and what will this affect?

• This change in process only affects POC and/or demo installations (that do not install a fully valid certificate on the Enterprise server), and also only affects installations of Enterprise on-premise software
• This only affects mobile app submissions
  most browsers today will still allow you to connect to a self-signed certificate
• This does NOT affect production systems where a valid certificate is installed on the server
• This does NOT affect PrinterOn Hosted, Enterprise Cloud Print
• This does NOT affect any installations (production or POC or demo) that installs a certificate on the server

Is this normal?

Yes, this is becoming the new normal. For example, HP’s MFPs use a similar method as we are proposing. Apple is making it hard and hard to actually support self-signed certificates in code as they encourage people to protect themselves.

What are the extra steps?

NOTE:

If a valid certificate is installed on the server no additional steps are needed.

These steps are very similar to ones used today already to install a valid certificate and known by PS and only apply if a valid certificate is not installed on the server.

• Administrators will be required to create a new certificate authority file and self-signed certificate after installation.
  PrinterOn is producing clear documentation to help in this process
• Administrators will be required to deliver the certificate to the POC user to create a secure connection

This can be done by email or MDM provider

We are investigating ways to simplify the deployment without decreasing security

What is the purpose?

In short – to guarantee secure communication between clients (like the mobile apps or AirPrint ) and the PrinterOn server

• This extra step of putting a shared certificate authority on both the client and server allows PrinterOn to create our software without including security loopholes in the software at the time we create it
  It means we do not need to allow unknown certificates to be trusted.
• While TLS is good for casual security, without having a trusted and valid certificate between client and server, it allows “the bad guys” to put themselves between the client and the server and decrypt the traffic before sending it along.

Neither the client nor the server would be aware that the communication has been compromised

To confirm, as of September 2018 and mobile app version 3.6.0, in order to support mobile app submissions, a properly trusted certificate is required. Other submission methods will continue to be successful.