HP 250m Print Server - Fast Ethernet manual HP Jetdirect Certificate Guidelines

Page 94

That wasn’t too bad to get security for your print data. However, there is a problem. Notice that we used the IP address in the URL. After the big section on name checking, we should know that there is not a way to verify our Jetdirect’s certificate with an IP address in the URL. IPPS should have flagged a certificate error but it did not.

This behavior brings up an important point. Just because SSL/TLS is being used doesn’t mean the proper checks are being done. When you have a new application protocol using SSL/TLS, there are only three words for you: Test! Test! Test!

HP Jetdirect Certificate Guidelines

We’ve covered several client and server scenarios regarding HP Jetdirect and SSL/TLS. Here are some guidelines for issuing digital certificates to an HP Jetdirect:

There is only one Identity certificate on HP Jetdirect, so supporting multiple certificates and things of that nature when Jetdirect is an SSL/TLS server are not an issue at the present time.

Because there is only one certificate, be sure to issue a certificate that can do Client Authentication and Server Authentication unless you are absolutely sure that Jetdirect will only act as one or the other.

Do not use the self-signed certificate that Jetdirect generates by default except for a temporary session in order to replace it with a better one.

Each Jetdirect should have a unique certificate.

Each Jetdirect should have host records in DNS and those DNS names should match the Jetdirect certificate.

Use the Web Server (as described previously) to generate a Certificate Request so that the private key for Jetdirect always remains private. Be sure that the Common Name matches the FQDN of Jetdirect to avoid certificate errors.

Do not store the same Identity Certificate on multiple Jetdirect cards (e.g., wildcard certificates for printing).

When Jetdirect is acting as an SSL/TLS client and is being presented with a server certificate that has a wildcard character, follow the guidelines in RFC4513 for *all* protocols, not only LDAP. Otherwise, the wildcard certificate may not be accepted.

When Jetdirect is acting as a client, be sure to have the CA certificate installed. The CA certificate has to be the top-level CA certificate.

When Jetdirect is acting as a client, be sure to have the server send back the certificate chain. Jetdirect has minimal amount of storage available for certificates so it requires that functionality.

Following these guidelines will keep you looking younger.

Embedded Devices and Digital Certificates

One of the more common uses of digital certificates is for Virtual Private Network (VPN) access. In some environments, remote users are issued a USB key and the USB key is programmed with a digital certificate assigned to the user. The private key of the certificate is protected via a PIN number that provides encryption. When a user brings up the VPN, the PIN number must be used so that the private key can be accessed to establish the VPN connection. This behaves like two factor authentication: What do I know (the PIN #)? What do I have (the digital certificate on the USB key)?

With Embedded Devices, there is no password that can be entered. This means that the certificate private key is likely stored “in the clear”. Even if a password was required, it is going to be used by the firmware of the Embedded Device rather than a user (an Embedded Device may not even have a

94

Image 94
Contents Whitepaper IntroductionWhat is SSL/TLS? Http ApplicationHttps Decoded Application ChangesHttp Session More Info Https Session Lock Icon Certificate Details Digital Certificates IE6 Security AlertIE7 Certificate Error IE7 Certificate Error Public Key Infrastructure and Public Key Certificate Basics Certificate InformationSymmetric Cryptography Asymmetric Cryptography Digital Signature Digital Signature Verification Certificate Authority Public Key Certificates Self-Signed Certificate SSL/TLS Protocol Basics SSL/TLS Protocol StructuresClient Hello Server Hello Server Certificate Verification Keying Material Client Finished Using Https with HP Jetdirect Server FinishedCA Heirarchy Network Diagram Page Page Under the heading Jetdirect Certificate, press Configure… Page Page Page Page Page Page Page Page Page Page Page Save it Go to Tools and click Internet Options Click Certificates Click Import… Click Next Select the file Click Next Page Page Page Page Page Detailed Look at the SSL/TLS Connection Page Page Page Page Check for server certificate revocation is not selected Page Page SSL/TLS Server Settings HP Jetdirect as an SSL/TLS Client Page Page Page Page Select R2 and hit Export… Click Next Select DER. Click Next Save it Save it Click Finish Page Select the file. Click Finish Click OK Page Same message. What did we do wrong? Page Page We use the DNS name and try again Success Page SSL/TLS Client Understanding Certificate Chains CA HierarchyPage RootCA Incorrect HP Jetdirect CA Configuration Correct HP Jetdirect CA Configuration Walking the Chain SSL/TLS Client Certificates and Name Verification Subject SubjectAltName Page Page Page IPP over SSL/TLS Click Next Select a network printer… Page Page Print a test Yep we have our print data protected by SSL/TLS HP Jetdirect Certificate Guidelines Embedded Devices and Digital CertificatesWhich HP Jetdirect Products Support SSL/TLS? Summary