Securing an HP LaserJet printer with LetsEncrypt

The fantastic and free Let’s Encrypt service lets you issue TLS (SSL) certificates to as many devices as you want. It’s perfect for a home or small office environment.

The Let’s Encrypt service needs to validate that you are in control of the device you’ve requested a certificate for. Most of the time, it’s fine to serve up a single file from your server. What if you can’t actually serve arbitrary files from your device?

There is a way around this – you can use a TXT (text) record in DNS to authenticate the device, and that’s what I did.

Photo by Alex Furr from FreeImages

I’ve used certbot to generate my certificate:

certbot -d host.example.com --manual --preferred-challenges dns certonly

Note down the TXT record that appears and add it to your DNS server, and you’re done.

My printer wants the certificate and private key in a PKCS#12 bundle, a bit like a ‘zip’ or ‘tar’ archive. This isn’t obvious, but it can be done with this command:

openssl pkcs12 -export -out certificate.pfx -inkey config/live/host.example.com/privkey.pem -in config/live/host.example.com/cert.pem

You’ll be asked for a passphrase, and the key and certificate will be in certificiate.pfx.  You can load this in to the printer by hand, or automatically with a single command.

Comments

12 responses to “Securing an HP LaserJet printer with LetsEncrypt”

  1. Jonathan avatar
    Jonathan

    Thanks for writing this. I’m trying to install a LE cert on my hp printer as well.
    but…. uh oh. How did you get around the password requirement? My hp printer says “You must provide the password that was used to encrypt the private key.”
    I never provided a password anywhere in the certbot config. All of the above steps worked great and I made the .pfx file.
    also, how are you handling the certificate renewals?
    Thanks again!

    1. Lars Düsing avatar
      Lars Düsing

      Normally the openssl-command asks for an export password – and this works.

  2. Bijan avatar

    This approach does not seem to work if you’d simply like to access your HP printer from within the network using https. Let’s Encrypt/Certbot will not generate a certificate for a domain name such as “HPCLJM451dw.local”.
    Do you have any idea what one could do in such a scenario?

    1. Peter Hicks avatar
      Peter Hicks

      You’ll need to use a domain name where you have control over DNS records – .local is used mainly by zeroconf services (see https://en.wikipedia.org/wiki/.local).

  3. Ry Jones avatar
    Ry Jones

    Thank you, this is exactly what I needed.

  4. Gareth avatar
    Gareth

    I’ve been using this guide every 3 months for the last two years like clockwork. 3 months is just long enough to forget how to do it and still need a guide! Thanks so much for taking the time to write it up.

    1. Peter Hicks avatar
      Peter Hicks

      Have you seen the follow-up post at https://wp-test-1.office.opentraintimes.net/2020/03/18/printer-security-installing-tls-certificates-on-hp-printers-automatically/, where I’ve documented how to automate installation?

      1. Gareth avatar
        Gareth

        I have not! I have some time off work booked in the next few weeks. I think I’ve found my new project! Thanks again for sharing!

  5. Michael avatar
    Michael

    This doesn’t seem to work with my printer (MFP M479dw on CLRWTRXXXN002.2339A.00).. it just constantly says “The certificate file is corrupted or uses an unsupported file format.” even though I’ve followed everything you said exactly. Any troubleshooting advice?

  6. Derek avatar
    Derek

    Thanks for the info! I was able to get this working with the latest URL ( /Security/DeviceCertificates/NewCertWithPassword/Upload?fixed_response=true) on my M479fdw. Just to note that it appears that the printers only support RSA keys. I’ve been setting up Step CA (https://smallstep.com/docs/step-ca/) and I had to create my own root and intermediate certs to be able to import to the printer because the defaults for step-ca is to use EC keys. Just FYI in case anyone else lands here 🙂

    1. Ryan avatar
      Ryan

      Thanks for the tips!

  7. Phil McCaffrey avatar
    Phil McCaffrey

    I had chased my tail for about an hour with an invalidCertType error before realizing that I had to explicitly set the key-type rsa when creating the cert

    sudo certbot certonly –dns-route53 -d HOSTNAME –key-type rsa

Leave a Reply to Ry Jones Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.