25
Install own SSL certificate on HP ScanJet Pro N4000 snw1 does not work
I have a brand new HP ScanJet Pro N4000 snw1, firmware 0.80.
I would like to install a self created SSL certificate and I can't.
Variant 1: import p12 certificate, containing a private key works. I see a certificate on the certificate management site, but the certificate is not used for the website.
Variant 2: create the CSR on the scanner's website and create a cert from it. I can create a CSR, but if I try to import the certificate made from it, I always get the message "password incorrect". Though, there is no any password: after the creation of CSR you're just importing the cert without private key.
Does somebody have an idea, what is wrong?
I would like to install a self created SSL certificate and I can't.
Variant 1: import p12 certificate, containing a private key works. I see a certificate on the certificate management site, but the certificate is not used for the website.
Variant 2: create the CSR on the scanner's website and create a cert from it. I can create a CSR, but if I try to import the certificate made from it, I always get the message "password incorrect". Though, there is no any password: after the creation of CSR you're just importing the cert without private key.
Does somebody have an idea, what is wrong?
Share on Facebook
Share on Twitter
Share on Reddit
Share on LinkedinPlease also mark the comments that contributed to the solution of the article
Content-Key: 53993779015
Url: https://administrator.de/contentid/53993779015
Printed on: April 27, 2024 at 12:04 o'clock
25 Comments
Latest comment
Make sure the hostname and domain configured in the device are the same as in the certificate.
Caching problem of the browser?
Caching problem of the browser?
Quote from @ITwissen:
Make sure the hostname and domain configured in the device are the same as in the certificate.
Caching problem of the browser?
Make sure the hostname and domain configured in the device are the same as in the certificate.
Caching problem of the browser?
The host name and domain are the same and I tried with different browsers...
Cross post
Wich encryption standard has been used to create the PFX/P12 Container? Try to create the container by using the legacy DES format or convert it by using openssl.
Are you really sure that the certificate should be used by the scanners management page? I think this is only used for authentication to remote servers and server certificate validation.
Variant 1: import p12 certificate, containing a private key works. I see a certificate on the certificate management site, but the certificate is not used for the website.
Assign the cert to be used by the interface. Check the options on the management interface.Wich encryption standard has been used to create the PFX/P12 Container? Try to create the container by using the legacy DES format or convert it by using openssl.
Are you really sure that the certificate should be used by the scanners management page? I think this is only used for authentication to remote servers and server certificate validation.
Quote from @11078840001:
Assign the cert to be used by the interface. Check the options on the management interface.
Assign the cert to be used by the interface. Check the options on the management interface.
I couldn't find this option, unfortunately.
Wich encryption standard has been used to create the PFX/P12 Container? Try to create the container by using the legacy DES format or convert it by using openssl.
It is RSA; but I don't think, it is an issue here: the cert was read by the website...
Are you really sure that the certificate should be used by the scanners management page? I think this is only used for authentication to remote servers and server certificate validation.
Yes, I'm sure.
No that is not what i mean, i mean the encryption scheme by the P12 container, if it as legacy or modern one with aes256 encryption!
but I don't think, it is an issue here: the cert was read by the website...
That it can read the container does not mean it's correctly decoded.Quote from @11078840001:
No that is not what i mean, i mean the encryption scheme by the P12 container, if it as legacy or modern one with aes256 encryption!
I think, it was a modern one. I created it using openssl as following:
openssl pkcs12 -export -out hp-scanner.p12 -inkey key.key -in cert.pemI think, it was a modern one
Show us the output of ...openssl pkcs12 -in hp-scanner.p12 -info -nooutP12 zertifikat auf aktuelle Linux-Server kann auf IIS nicht importiert werden (Angeblich falsches Kennwort)
1
Here you are:
Will try to create a legacy one
MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
Certificate bag
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256Will try to create a legacy one
The p12-container, which was encrypted with the legacy switches, was also successfully added to the scanner, but the website is not using it...
OK, then show us all your settings you have set (screenshots).
What does the HP support say?
What does the HP support say?
Certificate settings:
HP Support was informed; I'm waiting for response.
OK let's wait. Seams to be a bug then if it does not work when you reset the scanner to default settings.
Have you cleared your Browser cache? => use private mode as best practice
Did you really call the page by it's common name afterwards?
Have you cleared your Browser cache? => use private mode as best practice
Did you really call the page by it's common name afterwards?
Quote from @11078840001:
OK let's wait. Seams to be a bug then if it does not work when you reset the scanner to default settings.
Have you cleared your Browser cache? => use private mode as best practice
Did you really call the page by it's common name afterwards?
OK let's wait. Seams to be a bug then if it does not work when you reset the scanner to default settings.
Have you cleared your Browser cache? => use private mode as best practice
Did you really call the page by it's common name afterwards?
Yes, I did both. New browser, other workstation, call the web page by CN or by IP...
Did your certs contain the necessary extensions for a webserver certificate? "keyAgreement, keyEncipherment, digitalSignature" and extendedKeyUsage "serverAuth".
Sorry, but wee need to pull everything out of your nose, because we can't see that much information from your post, but wait ... OK it's friday, so nothing unusual 💩
Sorry, but wee need to pull everything out of your nose, because we can't see that much information from your post, but wait ... OK it's friday, so nothing unusual 💩
Zitat von @11078840001:
Did your certs contain the necessary extensions for a webserver certificate? "keyAgreement, keyEncipherment, digitalSignature" and extendedKeyUsage "serverAuth".
Sorry, but wee need to pull everything out of your nose, because we can't see that much information from your post, but wait ... OK it's friday, so nothing unusual 💩
Did your certs contain the necessary extensions for a webserver certificate? "keyAgreement, keyEncipherment, digitalSignature" and extendedKeyUsage "serverAuth".
Sorry, but wee need to pull everything out of your nose, because we can't see that much information from your post, but wait ... OK it's friday, so nothing unusual 💩
Not all extensions you've listed are used.
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuthAccording to my experience, these extensions are enough for a web server (Apache, Nginx, many routers are happy with tis set). But thanks, I will try to add keyAgreement + digitalSignature, though, I think, both are for something else, not for the plain web server.
Sorry, I don't know a joke about Friday
[v3_req]
keyUsage = keyEncipherment, dataEncipherment, keyAgreement, digitalSignature
extendedKeyUsage = serverAuthOkay, adding of the additional extensions didn't help, unfortunately.
Please post the complete settings of the cert. Is the common name also listet as SubjectAlternativeName ?
subjectAltName = DNS:demo.tld
Here you are:
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = DE
ST = Narnia
L = Musterhausen
O = Chemtrail SE and Co. Unlimited
OU = Spray and Pray Department
#CN must be FQDN
CN = om.kc.lan
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
#DNS.1 = om
# DNS alt name is disabled. Some devices don't like DNS names without a domain
IP.1=192.168.20.14
You are missing the CN as SAN entry.
1
Will try it out.
Also having a CN as SAN doesn't help.
I suggest using a GUI Tool like this:
XCA
XCA
1
Update from HP support: it is not possible to install own cert for this device type.
Zitat von @sashaak:
Update from HP support: it is not possible to install own cert for this device type.
As I suspected in first place ... Thanks for the update.Update from HP support: it is not possible to install own cert for this device type.