Installing and Managing Certificates Using Printer Policies

  • Published on Feb 10, 2026
  • 5 minute(s) read
  • s
 Prev Next

Introduction

Certificates are a critical aspect of maintaining printer security, used ensure secure communication between the printer and other network resources. WXP supports two policy settings, CA Certificate and Identity Certificate, that you can use to upload your organization’s certificates to your fleet of printers to ensure that they are properly secured.

Target Audience

Printer Administrators who define and manage policies for enforcement.

Installing and Configuring a CA certificate via Policy

To configure your CA Certificate setting in a policy:  

  1. Create or modify a printer-specific or a printer group policy.

  2. On the Select Policy Settings page, locate and select CA Certificate and/or ID Certificate.

  3. Click Next. The Set Options page appears.  

  4. In the Settings list, click CA Certificate to expand it and display its configurable properties.

  5. Modify the Assessment and Remediations options on the left of the panel as necessary.

  6. In the Settings attributes pane on the right of the panel, specify the Certificate Overwrite Options. You can choose to:

      • Overwrite an existing certificate with the policy-specified certificates.

      • Add the certificates specified in this policy to the list of certificates already present on the printer.

  7. Add the certificate that you want to upload to all printers impacted by this policy:

      1. Click Add.  

      2. Browse to the location where your certificate is stored and select the certificate.

      3. Click Open.

  8. To add additional certificates, repeat Step 6 as necessary.

  9. Click Create/Save.

Installing and Configuring an Identity Certificate via Printer Policy

To configure your ID Certificate setting in a policy:  

  1. Create or modify a printer-specific or a printer group policy.

  2. On the Select Policy Settings page, locate and select Identity Certificate.

  3. Click Next. The Set Options page appears.  

  4. In the Settings list, click Identity Certificate to expand it and display configurable properties.

  5. Modify the Assessment and Remediations options on the left of the panel as necessary.

  6. Specify the Signing Request Settings. These include identifying information for the certificate and organization that owns the printer, as well as the Encryption key and Algorithm values used by the certificate:

Setting

Description

Source of Common Name (CN)

Whether to use the Fully Qualified Domain Name (FQDN) of the printer’s Embedded Web Server or the printer’s IP address as the Common Name (CN) value.

Organization Name (O)

The organization that manages the printer.

Organization Unit (OU)

The Organizational unit responsible for managing the printer.

City (L)

The city in which the Organization is located.

State (ST)

The state in which the Organization is located.

Country (C)

The two-letter country code representing the country in which the organization is located.

Include Subject Alternative Name (SANs) in Certificates

When checked, lets you define an alternate CN for the certificate. Choose one of the following options:

  • FQDM: Uses the Fully Qualified Domain Name as the alternative CN.

  • Hostname: Uses the printer’s Embedded Web Server Hostname as the alternative CN.

  • IP Address: Uses the printer’s IP address.

  • UPN (User Principal Name): Links the certificate to a specific user login. UPNs are typically used in Windows environments, such as Active Directory.

If you select this option, you’ll need to enter the Username and Domain of the User Principal Name, which are used to identify the printer during authentication.

Including SANs for the certificate ensures that the certificate can be accessed by different names or addresses, which can simplify certificate management by reducing trust errors.

If you intend to use this ID certificate for 802.1x authentication (Wired) or 802.1 authentication (Wireless), you should enable this setting and..

Check SANs in Policy Assessments

Check this setting to have WXP assess whether the SANs specified in the ID certificate match the SANs in the Certificate Signing Request (CSR).

Encryption Key

The type of encryption key used to generate the Public-Private key pair for the certificate. You can choose between:

  • RSA: A public-key cryptography system that secures online communication using a public key for encryption and a private key for decryption.

Choose an Encryption Key Length between 2048 and 8182 bits to determine the strength of the pair. The higher the value, the stronger the pair.

  • ECDSA: A cryptographic algorithm used for generating digital signatures. ECDSA uses elliptic curve cryptography (ECC), which provides high security with smaller key sizes compared to RSA.

For the Encryption Key Length, choose one of P-256, P-384, or P-521.

Note: If you intend to use a P-521 elliptical curve encryption key, you must first enable this key in the registry. For more information, see Before using the P-521 encryption key when configuring your ID Certificate.

Algorithm Used to Sign Certificate Request

The cryptographic hashing algorithm used to sign the CSR. Choose one of SHA-256, SHA-384, or SHA-512. The higher the bit length, the stronger the cryptographic hashing.

  1. Specify the values for the Certificate Authority Settings:

Setting

Description

Certificate Enrollment Method

The method used to request or obtain certificates from the Certificate Authority. Currently, there is only one method available, EST Connector.

You must provide the EST URL and Port.

Authenticate with EST User Credentials instead of an EST Certificate

When enabled, the EST Server Username and Password are used to authenticate. If disabled, the EST Certificate Serial Number and Password are used to authenticate.

You must provide the appropriate authentication credentials based on whether this setting is enabled or disabled.

Arbitrary Label for EST URL

A recognizable name or tag that can optionally be added to the EST URL to help retrieve certificates.

  1. Specify the Certificate Lifecycle settings:

Setting

Description

Certificate Renewal Threshold (Days)

The number of days prior to the certificate expiration that you want the system to renew the certificate.

Remove Inactive ID Certificates from Printer

When enabled, WXP will remove any inactive ID certificates from the printer.

  1. Click Create/Save.

IMPORTANT: Before using the P-521 encryption key when configuring your ID Certificate

There is a known issue when configuring an ID certificate to use a P-521 elliptical curve encryption key for Print Fleet Proxy connected printers. Windows only supports P-256 and P-384 encryption keys for TLS by default. If you intend to use P-521 encryption keys with your certificate, you must first enable P-521 in the Schannel registry configuration on the Web Jetadmin server. Failing to enable P-521 will result in the TLS handshake failing and the service being unavailable.

To enable P-521 for TLS:

  1. On your Web Jetadmin server, open the Registry Editor.

  2. Navigate to the following location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002

  1. Create or edit Multi-String Value: EccCurves

  2. Set the values in priority order:
    NistP521
    curve25519
    NistP256
    NistP384 Nist

  3. Restart the WJA service.

Contact Us

For any assistance, create a support case or email support@wxp.hp.com.

Related articles