The fantastic and free Let’s Encrypt service lets you issue TLS (SSL) certificates to as many devices as you want. It’s perfect for a home or small office environment.
The Let’s Encrypt service needs to validate that you are in control of the device you’ve requested a certificate for. Most of the time, it’s fine to serve up a single file from your server. What if you can’t actually serve arbitrary files from your device?
There is a way around this – you can use a TXT (text) record in DNS to authenticate the device, and that’s what I did.
I’ve used certbot to generate my certificate:
certbot -d host.example.com --manual --preferred-challenges dns certonly
Note down the TXT record that appears and add it to your DNS server, and you’re done.
My printer wants the certificate and private key in a PKCS#12 bundle, a bit like a ‘zip’ or ‘tar’ archive. This isn’t obvious, but it can be done with this command:
openssl pkcs12 -export -out certificate.pfx -inkey config/live/host.example.com/privkey.pem -in config/live/host.example.com/cert.pem
You’ll be asked for a passphrase, and the key and certificate will be in certificiate.pfx. You can load this in to the printer by hand, or automatically with a single command.
8 thoughts on “Securing an HP LaserJet printer with LetsEncrypt”
Thanks for writing this. I’m trying to install a LE cert on my hp printer as well.
but…. uh oh. How did you get around the password requirement? My hp printer says “You must provide the password that was used to encrypt the private key.”
I never provided a password anywhere in the certbot config. All of the above steps worked great and I made the .pfx file.
also, how are you handling the certificate renewals?
Normally the openssl-command asks for an export password – and this works.
This approach does not seem to work if you’d simply like to access your HP printer from within the network using https. Let’s Encrypt/Certbot will not generate a certificate for a domain name such as “HPCLJM451dw.local”.
Do you have any idea what one could do in such a scenario?
You’ll need to use a domain name where you have control over DNS records – .local is used mainly by zeroconf services (see https://en.wikipedia.org/wiki/.local).
Thank you, this is exactly what I needed.
I’ve been using this guide every 3 months for the last two years like clockwork. 3 months is just long enough to forget how to do it and still need a guide! Thanks so much for taking the time to write it up.
Have you seen the follow-up post at https://blog.poggs.com/2020/03/18/printer-security-installing-tls-certificates-on-hp-printers-automatically/, where I’ve documented how to automate installation?
I have not! I have some time off work booked in the next few weeks. I think I’ve found my new project! Thanks again for sharing!