sashaak
Goto Top

Install own SSL certificate on HP ScanJet Pro N4000 snw1 does not work

I have a brand new HP ScanJet Pro N4000 snw1, firmware 0.80.

I would like to install a self created SSL certificate and I can't.

Variant 1: import p12 certificate, containing a private key works. I see a certificate on the certificate management site, but the certificate is not used for the website.

Variant 2: create the CSR on the scanner's website and create a cert from it. I can create a CSR, but if I try to import the certificate made from it, I always get the message "password incorrect". Though, there is no any password: after the creation of CSR you're just importing the cert without private key.

Does somebody have an idea, what is wrong?

Content-Key: 53993779015

Url: https://administrator.de/contentid/53993779015

Printed on: February 29, 2024 at 22:02 o'clock

Member: ITwissen
ITwissen Feb 09, 2024 at 10:32:47 (UTC)
Goto Top
Make sure the hostname and domain configured in the device are the same as in the certificate.

Caching problem of the browser?
Member: sashaak
sashaak Feb 09, 2024 at 10:39:38 (UTC)
Goto Top
Quote from @ITwissen:

Make sure the hostname and domain configured in the device are the same as in the certificate.

Caching problem of the browser?

The host name and domain are the same and I tried with different browsers...
Member: abramakabra
abramakabra Feb 09, 2024 updated at 12:09:04 (UTC)
Goto Top
Cross post
Variant 1: import p12 certificate, containing a private key works. I see a certificate on the certificate management site, but the certificate is not used for the website.
Assign the cert to be used by the interface. Check the options on the management interface.
Wich encryption standard has been used to create the PFX/P12 Container? Try to create the container by using the legacy DES format or convert it by using openssl.
Are you really sure that the certificate should be used by the scanners management page? I think this is only used for authentication to remote servers and server certificate validation.
Member: sashaak
sashaak Feb 09, 2024 at 13:30:08 (UTC)
Goto Top
Quote from @abramakabra:

Assign the cert to be used by the interface. Check the options on the management interface.

I couldn't find this option, unfortunately.

Wich encryption standard has been used to create the PFX/P12 Container? Try to create the container by using the legacy DES format or convert it by using openssl.

It is RSA; but I don't think, it is an issue here: the cert was read by the website...

Are you really sure that the certificate should be used by the scanners management page? I think this is only used for authentication to remote servers and server certificate validation.

Yes, I'm sure.
Member: abramakabra
abramakabra Feb 09, 2024 updated at 13:38:42 (UTC)
Goto Top
Zitat von @sashaak:
It is RSA
No that is not what i mean, i mean the encryption scheme by the P12 container, if it as legacy or modern one with aes256 encryption!
but I don't think, it is an issue here: the cert was read by the website...
That it can read the container does not mean it's correctly decoded.
Member: sashaak
sashaak Feb 09, 2024 at 13:40:58 (UTC)
Goto Top
Quote from @abramakabra:

No that is not what i mean, i mean the encryption scheme by the P12 container, if it as legacy or modern one with aes256 encryption!

I think, it was a modern one. I created it using openssl as following:

openssl pkcs12 -export -out hp-scanner.p12 -inkey key.key -in cert.pem
Member: abramakabra
abramakabra Feb 09, 2024 updated at 13:47:32 (UTC)
Goto Top
I think, it was a modern one
Show us the output of ...
openssl pkcs12 -in hp-scanner.p12 -info -noout
Better fist create a legacy one and then test again.

P12 zertifikat auf aktuelle Linux-Server kann auf IIS nicht importiert werden (Angeblich falsches Kennwort)
Member: sashaak
sashaak Feb 09, 2024 updated at 13:51:22 (UTC)
Goto Top
Here you are:

MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
Certificate bag
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256

Will try to create a legacy one face-smile
Member: sashaak
sashaak Feb 09, 2024 at 14:32:52 (UTC)
Goto Top
The p12-container, which was encrypted with the legacy switches, was also successfully added to the scanner, but the website is not using it...
Member: abramakabra
abramakabra Feb 09, 2024 updated at 14:38:09 (UTC)
Goto Top
OK, then show us all your settings you have set (screenshots).

What does the HP support say?
Member: sashaak
sashaak Feb 09, 2024 at 15:48:37 (UTC)
Goto Top
Certificate settings:
2024-02-09_163336
Member: sashaak
sashaak Feb 09, 2024 at 15:49:23 (UTC)
Goto Top
HP Support was informed; I'm waiting for response.
Member: abramakabra
abramakabra Feb 09, 2024 updated at 15:58:20 (UTC)
Goto Top
OK let's wait. Seams to be a bug then if it does not work when you reset the scanner to default settings.
Have you cleared your Browser cache? => use private mode as best practice
Did you really call the page by it's common name afterwards?
Member: sashaak
sashaak Feb 09, 2024 at 15:59:41 (UTC)
Goto Top
Quote from @abramakabra:

OK let's wait. Seams to be a bug then if it does not work when you reset the scanner to default settings.
Have you cleared your Browser cache? => use private mode as best practice
Did you really call the page by it's common name afterwards?

Yes, I did both. New browser, other workstation, call the web page by CN or by IP...
Member: abramakabra
abramakabra Feb 09, 2024 updated at 16:31:08 (UTC)
Goto Top
Did your certs contain the necessary extensions for a webserver certificate? "keyAgreement, keyEncipherment, digitalSignature" and extendedKeyUsage "serverAuth".

Sorry, but wee need to pull everything out of your nose, because we can't see that much information from your post, but wait ... OK it's friday, so nothing unusual đź’©
Member: sashaak
sashaak Feb 09, 2024 at 17:21:40 (UTC)
Goto Top
Zitat von @abramakabra:

Did your certs contain the necessary extensions for a webserver certificate? "keyAgreement, keyEncipherment, digitalSignature" and extendedKeyUsage "serverAuth".

Sorry, but wee need to pull everything out of your nose, because we can't see that much information from your post, but wait ... OK it's friday, so nothing unusual đź’©

Not all extensions you've listed are used.

[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth

According to my experience, these extensions are enough for a web server (Apache, Nginx, many routers are happy with tis set). But thanks, I will try to add keyAgreement + digitalSignature, though, I think, both are for something else, not for the plain web server.

Sorry, I don't know a joke about Friday face-smile
Member: sashaak
sashaak Feb 09, 2024 updated at 17:32:42 (UTC)
Goto Top
[v3_req]
keyUsage = keyEncipherment, dataEncipherment, keyAgreement, digitalSignature
extendedKeyUsage = serverAuth

Okay, adding of the additional extensions didn't help, unfortunately.
Member: abramakabra
abramakabra Feb 09, 2024 updated at 18:03:55 (UTC)
Goto Top
Please post the complete settings of the cert. Is the common name also listet as SubjectAlternativeName ?
subjectAltName = DNS:demo.tld
Member: sashaak
sashaak Feb 09, 2024 at 18:39:50 (UTC)
Goto Top
Here you are:

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = DE
ST = Narnia
L = Musterhausen
O = Chemtrail SE and Co. Unlimited
OU = Spray and Pray Department

#CN must be FQDN
CN = om.kc.lan

[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth

subjectAltName = @alt_names

[alt_names]

#DNS.1 = om
# DNS alt name is disabled. Some devices don't like DNS names without a domain 
IP.1=192.168.20.14
Member: abramakabra
abramakabra Feb 09, 2024 at 19:29:48 (UTC)
Goto Top
You are missing the CN as SAN entry.
Member: sashaak
sashaak Feb 09, 2024 updated at 19:39:54 (UTC)
Goto Top
Will try it out.
Member: sashaak
sashaak Feb 09, 2024 at 21:27:00 (UTC)
Goto Top
Also having a CN as SAN doesn't help.
Member: ITwissen
ITwissen Feb 10, 2024 at 05:10:24 (UTC)
Goto Top
I suggest using a GUI Tool like this:
XCA
Member: sashaak
Solution sashaak Feb 14, 2024 at 16:54:57 (UTC)
Goto Top
Update from HP support: it is not possible to install own cert for this device type.
Member: abramakabra
abramakabra Feb 14, 2024 updated at 17:18:14 (UTC)
Goto Top
Zitat von @sashaak:

Update from HP support: it is not possible to install own cert for this device type.
As I suspected in first place ... Thanks for the update.