Securing an HP LaserJet printer with LetsEncrypt

Installing a TLS (or SSL) certificate on a HP LaserJet printer

The fantastic and free Let’s Encrypt service lets you issue TLS (SSL) certificates to as many devices as you want. It’s perfect for a home or small office environment.

The Let’s Encrypt service needs to validate that you are in control of the device you’ve requested a certificate for. Most of the time, it’s fine to serve up a single file from your server. What if you can’t actually serve arbitrary files from your device?

There is a way around this – you can use a TXT (text) record in DNS to authenticate the device, and that’s what I did.

Photo by Alex Furr from FreeImages

I’ve used certbot to generate my certificate:

certbot -d host.example.com --manual --preferred-challenges dns certonly

Note down the TXT record that appears and add it to your DNS server, and you’re done.

My printer wants the certificate and private key in a PKCS#12 bundle, a bit like a ‘zip’ or ‘tar’ archive. This isn’t obvious, but it can be done with this command:

openssl pkcs12 -export -out certificate.pfx -inkey config/live/host.example.com/privkey.pem -in config/live/host.example.com/cert.pem

You’ll be asked for a passphrase, and the key and certificate will be in certificiate.pfx.  You can load this in to the printer by hand, or automatically with a single command.

8 thoughts on “Securing an HP LaserJet printer with LetsEncrypt”

  1. Thanks for writing this. I’m trying to install a LE cert on my hp printer as well.
    but…. uh oh. How did you get around the password requirement? My hp printer says “You must provide the password that was used to encrypt the private key.”
    I never provided a password anywhere in the certbot config. All of the above steps worked great and I made the .pfx file.
    also, how are you handling the certificate renewals?
    Thanks again!

  2. This approach does not seem to work if you’d simply like to access your HP printer from within the network using https. Let’s Encrypt/Certbot will not generate a certificate for a domain name such as “HPCLJM451dw.local”.
    Do you have any idea what one could do in such a scenario?

  3. I’ve been using this guide every 3 months for the last two years like clockwork. 3 months is just long enough to forget how to do it and still need a guide! Thanks so much for taking the time to write it up.

      1. I have not! I have some time off work booked in the next few weeks. I think I’ve found my new project! Thanks again for sharing!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.