HTTPS connection, SANs troubleshotting

I would do this fully in openssl and just import the result into the copier. The wizard is designed to be basic and not give out all the options. openssl's command line options will give you much more control over the results.

i already tried that way, and it give the same result of only working with DNS host name, i believe is because theres nothing in the printer that tells it it should use https when entering throught the IP in the same way the common name of the certificate is the DNS host name in.

Im going to try again but i wanted to be sure that it wasnt possible throught this method.

That might be your browser too. Traditionally directly using IPs would work around the certificate check. It would still do TLS/SSL but the cert would just be whatever it was.
If you use the "s_client" option with openssl pointed to the copier's IP at 443 does it give back the correctly modified cert?

Remember, at the end of the day the copier is a Linux PC running a web server. It's not special or magical in any really meaningful way.

Check the settings under (assuming this is a 4, 4e, 8, or 8e machine) Security -> PKI Settings -> Protocol setting. Memory says there is a way to force HTTPS but I don' t have a copier with a cert installed nearby to test it with.

it does, it also shows the information of the certificate which is correct, there one error in one section and thats Verification error: self-signed certificate, i thinks it would give this error anyway because this is a self-signed certificate

I thought about the protocol settings aswell and i configure it this way
​image.png​

Ok, made a certificate with open ssl with SANs included, this time i also added another DNS name (KMBHC550I), however it only makes a secure connection when entering throught the DNS hostname that appears in the network settings of the printer which is also the name that the printer uses automatically as the Common Name in the certificate, now i believe that it ignores the SANs section altogether.

ANOTHER UPDATE: with the same certificate i upgraded to the firmware G00-RB which does a bunch of funny business with TLS protocols. After the updating ther printer manage to do the secure connection with while using the DNS hostname and the printer's IP but not while using another DNS that i put the SANs section of the certificate. According to chatGPT (i was using it to troubleshoot) is possible the printer is hard coded to relate the DNS hostname and the printer's IP and since the printer uses the DNS hostname as the common name in the certificate the it relates to the IP aswell, this would mean that the printer is still ignoring the SANs section but atleast i can take that into consideration.

I also wonder, for printers not a new a this one would be imposible to do the same? since the fix was in the firmware that would mean that older printers that no longer get support would not get the fix

Also the reason why i was using an i Series is because i never managed to import external certificates to printers from 4 Series and 8 Series, this was necesary because i believe this machines dont support SANs, but i dont know if there is way to do the secure connection

If you guys are interested i will continue to update the thread for more testing when i get my hands on more printers or when i stumble with relevant bullentins

Keep posting no problems. One question, what is purpose I mean what do you want to achieve in reality?

Keep posting. This is fascinating. I've dived into certificates on servers sure but never on MFPs.


Some fixes are back ported to older machines, some are not. You really need access to the release notes to know. What is probably easier, is to just update to the latest and try it. Things may also change in special firmwares. Each family (4, 4e and 7, 8, 8e, 9 and 0i, 1i) have their own firmware.

Do you have access to the Konica dealer portal?

Some client's enviromentes require this level of security, a few weeks back one of our clients in manufacturing required to take out the warning in the browser that occurs when HTTPS is not achieved because they were audited, at the end they decide it to turn off the web page of every single printer.

I like to have the solutions to this problems at least to a home enviroment so that i at least can offer that to the client, even if would not be the best fix for them.

Good luck and keep us updated.

Ugh... the dreaded audit... "Qualys has red light. Must disable."

Joking aside, I'm going to send you a PM for an openssl command. Posting its output publicly is probably not a good idea. If anyone stumbles across this thread in the future and is looking for info it is:
openssl s_client -showcerts -servername <fqnd.of.copier.domain.tld> -connect <copier ip or fqdn here>:443 -tls1_2


To be clear I don't know but I suspect this happens because the copier's web host is only using the cert for it's name listed in the cert. That way it would never hand out the wrong cert if many were installed. We will find out however with the above command.