Installing TLS certificates on HP printers automatically

Installing a TLS (SSL) certificate on an HP LaserJet printer automatically isn’t as difficult as you might think

I wrote an article about installing a Let’s Encrypt TLS certificate on an HP LaserJet printer a while ago.  Since then, I’ve been annoyed by having to install updated certificates manually, so I decided to look at how I could automate it.

HP LaserJet printer control panel
Photo by Alex Furr from FreeImages

TechRadar has a great article on securing printers, but how do you automate it? Well, with a certificate authority like Let’s Encrypt for starters, but there’s no mechanism for the printer to automatically update its certificate after it expires.

I’ve set my desktop machine to certbot and renew the certificate automatically. An evening’s hacking around the web interface showed it’s really easy to install a certificate automatically.

This is the magic command to install the certificate:

curl -v --insecure https://HOSTNAME/hp/device/Certificate.pfx --form upload=@/tmp/cert.pfx --form Password=password

Replace HOSTNAME with the hostname of your printer and change /tmp/cert.pfx as required. If you want to know how to create the PFX file, see my original post.

Has anyone else found out how to do this? If they have, they’ve not posted about it!

Turning off SSID broadcast for HP LaserJet printers

How do you turn off your HP LaserJet printer’s built-in WiFi Direct SSID?

A new HP LaserJet printer arrived in the office recently. After plugging it on to the office network, the setup was easy, but I couldn’t find a way to stop the printer broadcasting a wireless network name.

Photo by Rybson from FreeImages

Several hours of testing, failing, resetting and re-testing led me to HP’s Support Forum.  I found some instructions from a user who worked out how to disable the network.  It’s not logical or obvious.

First, make sure you don’t have a USB cable attached to the printer. Go to the web configuration page and select Networking > Wi-Fi Direct Setup, and turn WiFi Direct on.

Then, set the connection method to Advanced, and check “Do not broadcast the Wi-Fi Direct Name”. Click Apply, restart the printer, then go back in to the configuration page and turn Wi-Fi Direct off.

I don’t know why this isn’t an obvious option, but HP might fix it in a later release of the printer’s firmware.

Securing an HP LaserJet printer with LetsEncrypt

Installing a TLS (or SSL) certificate on a HP LaserJet printer

The fantastic and free Let’s Encrypt service lets you issue TLS (SSL) certificates to as many devices as you want. It’s perfect for a home or small office environment.

The Let’s Encrypt service needs to validate that you are in control of the device you’ve requested a certificate for. Most of the time, it’s fine to serve up a single file from your server. What if you can’t actually serve arbitrary files from your device?

There is a way around this – you can use a TXT (text) record in DNS to authenticate the device, and that’s what I did.

Photo by Alex Furr from FreeImages

I’ve used certbot to generate my certificate:

certbot -d host.example.com --manual --preferred-challenges dns certonly

Note down the TXT record that appears and add it to your DNS server, and you’re done.

My printer wants the certificate and private key in a PKCS#12 bundle, a bit like a ‘zip’ or ‘tar’ archive. This isn’t obvious, but it can be done with this command:

openssl pkcs12 -export -out certificate.pfx -inkey config/live/host.example.com/privkey.pem -in config/live/host.example.com/cert.pem

You’ll be asked for a passphrase, and the key and certificate will be in certificiate.pfx.  You can load this in to the printer by hand, or automatically with a single command.