Installing TLS certificates on HP printers automatically

Installing a TLS (SSL) certificate on an HP LaserJet printer automatically isn’t as difficult as you might think

I wrote an article about installing a Let’s Encrypt TLS certificate on an HP LaserJet printer a while ago.  Since then, I’ve been annoyed by having to install updated certificates manually, so I decided to look at how I could automate it.

HP LaserJet printer control panel
Photo by Alex Furr from FreeImages

TechRadar has a great article on securing printers, but how do you automate it? Well, with a certificate authority like Let’s Encrypt for starters, but there’s no mechanism for the printer to automatically update its certificate after it expires.

I’ve set my desktop machine to certbot and renew the certificate automatically. An evening’s hacking around the web interface showed it’s really easy to install a certificate automatically.

This is the magic command to install the certificate:

curl -v --insecure https://HOSTNAME/hp/device/Certificate.pfx --form upload=@/tmp/cert.pfx --form Password=password

Replace HOSTNAME with the hostname of your printer and change /tmp/cert.pfx as required. If you want to know how to create the PFX file, see my original post.

Has anyone else found out how to do this? If they have, they’ve not posted about it!

10 thoughts on “Installing TLS certificates on HP printers automatically”

  1. Works great on some devices, but I have one laserjet that might be too old for that, and they apparently use different URLs for the InkJets

  2. I did try your command, but it fails for me.

    I changed the hostname accordingly, the location of the certificate file and the password to the export password.

    The error I receive is:
    HTTP error before end of send, stop sending
    * Closing connection 0

  3. In the interest of paying it forward for others that may run across this page. Different HP printers have different ways of getting the certificates to them. You can (as I did) simply open up the certificate interface in Safari or Chrome and enable developer tools to figure out what the right call is. It seems to change every two or three printer generations. If you have a modicum of developer / debugging expertise, you can quickly deduce what the right one is for you if the above (or below) doesn’t work.

    The magic incantation for some of the more modern HP printers is:

    curl -silent --show-error --insecure "https://HOSTNAME/Security/DeviceCertificates/NewCertWithPassword/Upload?fixed_response=true" --form certificate=@"YourCert.pfx" --form password="PASSWORD"

    Replace HOSTNAME with the printer’s hostname/IP.
    Replace YourCert.pfx with the path to the PFX-encoded certificate.
    Replace PASSWORD with the password you used to encrypt the PFX-encoded certificate.

  4. On newer Laserjet models (eg: my M479fdw) which have a more “Javascripty” web interface, the upload URL is different – but a bit of snooping in the Chrome console reveals that it’s basically the same mechanism, just a different URL.

    curl -v --insecure -u admin:ADMIN_PASSWORD --form certificate=@cert.pfx --form password=PFX_PASSWORD https://PRINTER_HOSTNAME/Security/DeviceCertificates/NewCertWithPassword/Upload

    (that’s all one line).

    ADMIN_PASSWORD is the password for the ‘admin’ user you set in the printer’s web UI.
    PFX_PASSWORD is the password you set on the PFX certificate file.
    PRINTER_HOSTNAME is the network name or IP address of the printer.

    Hope this helps!

  5. Thank you very much. This works perfectly for me on a HP LaserJet Pro MFP M426dfw, with the URL: https://HOSTNAME/hp/device/Certificate.pfx

    One note. I needed to add credentials in order to complete the request; otherwise, I was receiving 401 (Unauthorized): curl -v --insecure -u admin:HP_WEB_PORTAL_ADMIN_PASSWD https://HOSTNAME/hp/device/Certificate.pfx

  6. be careful copying the commands here as a hyphen is turned into an em dash and the curl command will fail. Make sure all “-” are literal hyphens

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.