Install certificate for CUPS 8.1

Latest response

Hi All,

How do I go about installing a certificate for CUPS in RedHat 8.1?

90]: [Client 5] Waiting for request.
Feb 06 15:46:28 wall-prt-04.njresources.com cupsd[3090]: [Client 4] Unable to encrypt connection: A TLS fatal alert has been received.
Feb 06 15:46:28 wall-prt-04.njresources.com cupsd[3090]: [Client 4] Closing connection.
Feb 06 15:46:28 wall-prt-04.njresources.com cupsd[3090]: cupsdSetBusyState: newbusy="Not busy", busy="Active clients"
Feb 06 15:46:28 wall-prt-04.njresources.com cupsd[3090]: [Client 5] Unable to encrypt connection: A TLS fatal alert has been received.
Feb 06 15:46:28 wall-prt-04.njresources.com cupsd[3090]: [Client 5] Closing connection.

Responses

Hi Christopher,

CUPS is able to generate certificate and key by itself when you set in /etc/cups/cupsd.conf (for cupsd daemon) or in /etc/cups/client.conf (for client programs e.g. lpstat):

Encryption Required

and restart cups service by (only when you write to cupsd.conf):

$ sudo systemctl restart cups

For clients, the certificate and key is generated after starting a client (e.g. issuing 'lpstat -a' command).

For server, it can be generated by e.g. accessing CUPS Web UI at https://:631 - firefox will show the warning about potential security risk, click on 'Advanced' and then click on 'Accept the Risk and Continue'. CUPS will start to use self-generated certificate and key since then. The warning appears because CUPS uses TOFU (Trust On the First Use) behavior as ssh - the user needs to confirm it is okay to use them.

Other way is to import certificate and key by yourself - you can do it by copying .crt and .key files into /etc/cups/ssl directory, renaming them to .crt and .key, setting ownership to root with permissions 644 and restarting cups service. This way you even get rid of warning in browser.