The fantastic and free Let’s Encrypt service lets you issue TLS (SSL) certificates to as many devices as you want. It’s perfect for a home or small office environment.
The Let’s Encrypt service needs to validate that you are in control of the device you’ve requested a certificate for. Most of the time, it’s fine to serve up a single file from your server. What if you can’t actually serve arbitrary files from your device?
There is a way around this – you can use a TXT (text) record in DNS to authenticate the device, and that’s what I did.
I’ve used certbot to generate my certificate:
certbot -d host.example.com --manual --preferred-challenges dns certonly
Note down the TXT record that appears and add it to your DNS server, and you’re done.
My printer wants the certificate and private key in a PKCS#12 bundle, a bit like a ‘zip’ or ‘tar’ archive. This isn’t obvious, but it can be done with this command:
openssl pkcs12 -export -out certificate.pfx -inkey config/live/host.example.com/privkey.pem -in config/live/host.example.com/cert.pem
You’ll be asked for a passphrase, and the key and certificate will be in certificiate.pfx. You can load this in to the printer by hand, or automatically with a single command.