Using Internet Information Server Certificate Store Request (CSR) and Certificates for Tomcat on Markvision Enterprise (MVE)

Affected Products:

Software / Solution: Lexmark MarkVision Enterprise (MVE)

Overview:

The following procedure does not work:

Generating a Certificate Store Request
(CSR
) for MVE using Microsoft’s Internet Information Server
(IIS
) platform, and filing the request with a Certificate Authority to secure MVE using HTTPS.

Explanation:

The certificates granted by a Certificate Authority are tied to the private keys of the server that generated the request.

Generating CSR for the Tomcat server using documentation and the Java Keytool, the CSR is valid for MVE and will function normally.

However, should you inadvertently generate the CSR on an IIS server, then the certificates will not work.

Installing Certificates Using IIS CSR and certificates for Tomcat on MVE:

As a work around, export the private keys from the IIS server to a file, copy it to the MVE server and then generate a new Java Keystore by importing the private keys from IIS.

Follow these steps below to proceed:

If the private keys don’t exist, create an MMC Snap-in for Managing Certificates on the IIS system. Ensure that the IIS system is using a “ Computer Account

” and managing the local computer.

Export the Certificate to a PFX file by following these steps:

In MMC, double-click on Certificates (Local Computer) in the center window.

Double-click on the Personal folder, and then on Certificates.

Right-click on the Certificate that you want to backup, and choose > ALL TASKS
> Export
.

The Certificate will be for the CSR generated for MVE. Proceed with these steps:

Follow the Certificate Export Wizard to export the certificate to a .pfx file

.

Choose to ‘Yes, export the private key‘.

Choose to “Include all certificates in certificate path if possible.” ( Do not select the delete Private Key option

).

Enter a password that you will remember. This password will be used when importing into the Java Keystore in later steps.

Choose to save file on a set location and click Finish.

In importing into Tomcat Java Keystore, follow these steps:

On the MVE server, open a command prompt and change directories to the MVE JRE %install_dir%\Markvision Enterprise\jre\bin

Copy the exported file created in Step 2 and the certificates associated with the originating CSR to a known location on the MVE server. Note:
Generally, it is best to house the Keystore outside of the MVE directory structure so it will not accidently be deleted when running Uninstall or Upgrade.

From the Command line, execute the following:

keytool -importkeystore -srckeystore mypfxfile.pfx -srcstoretype pkcs12 -destkeystore newjkskeystore.jks

The name of the Java Keystore file to use in MVE is where mypfxfile.pfx

is the exported file from IIS and newjkskeystore.jks

.

When prompted, enter the password for the new keystore file.
Note:
Make sure to remember this password as it will be used with the Server.XML configuration
.

When prompted, enter the password for the file exported from the IIS in Step 2
.

Proceed with the configuration as defined in the MarkVision Security Whitepaper.

Still Need Help?

Have the following available when calling Lexmark Technical Support;

Printer model(s)

Printer serial number

Software / Solution

LEGACY ID: FA1186