SSL/HTTPS Key Generation
上一页 附录 A. 工具 (高级的) 下一页

SSL/HTTPS Key Generation

对有一个有经验的用户要配置SSL的加密密钥,证书和格式。在安装过程期间,PaperCut NG生成发行了一个无符号的密钥/证书的主机名。默认系统是通过HTTP在端口9192上访问的。

默认SSL证书提供了良好的安全,但是有两个不利的使用自签名证书:

  1. When users access the HTTPS site using a fully-qualified domain name, the browser will issue a "Domain mismatch warning". To avoid this warning, re-create the self-signed certificate with the machine's fully qualified domain name, see the section called “Re-create the self-signed certificate”.

  2. The browser will also warn the user that the certificate is not signed by a trusted authority. To overcome this you must use a certificate signed by a trusted authority, see the section called “Using a custom/or signed SSL Key”.

Eliminating these warnings provides a smoother experience for the end users of PaperCut NG.

Re-create the self-signed certificate

The tool create-ssl-keystore can be used to re-create the key/certificate (stored in a keystore file) for a different hostname eliminating the browser domain mismatch warning. An example of the command's use: 

    cd [app-path]/server/bin/win
    create-ssl-keystore -f "myserver.fullname.com"

More information is available via the --help command line option. 

Usage: create-ssl-keystore [-f] [-k FILE] [SYSTEM_NAME]

   -f        Force. Overwrite any existing keystore file.

   -k FILE:  Define a keystore file location. If not set the keystore 
             is created in the default location 
             (server/data/default-ssl-keystore).

   SYSTEM_NAME: The name of the computer/server used to generate keystore.
                If not defined, the current computer name is used.

使用定制的SSL Key

大的组织可能期望使用他们自己有符号的SSL密钥和真实的授权证书(CA)。如:真实的CA包括:AddTrust、Entrust、 GeoTrust、RSA Data Security、Thawte、VISA、ValiCert、Verisign、beTRUSTed及其它的。

警告

配置 SSL并生成主要存储的密钥是很复杂的! 以下文档假定读者有一个很好的理解SSL/HTTPS的程序和在其它基于网络的应用程序服务器上配置,诸如:Apache,IIS或安全的邮件服务器。

一个好的程序概要产生了一个与PaperCut NG一致的密钥存储,有关详细的解释说明在Jetty HTTP服务器网址上: http://jetty.mortbay.org/jetty5/faq/faq_s_400-Security_t_ssl.htm.

配置PaperCut NG应用程序服务器使用新的密钥/证书:

  1. 在服务器上复制您的密钥存储运行PaperCut NG应用服务器。暗示目录所在的位置:[app-path]/server/custom/.

  2. 用文本编辑器打开文件[app-path]/server/server.properties(如:记事本)。

  3. 查找标题为SSL/HTTP的配置

  4. 从所有server.ssl行中移除#(hash)所产生的注释。

  5. 定义位于您的密钥存储和密钥的密码。文件应该与下列的类似: 

        server.ssl.keystore=custom/my-ssl-keystore
    server.ssl.keystore-password=mypassword
    server.ssl.key-password=mypassword

  6. 重新启动PaperCut NG应用程序服务器并校验所有的工作。如果服务器启动失败,错误信息将在服务器日志目录里有记录。

上一页 上翻 下一页
The XML Web Services API 主页  用户客户端选项