Machine certificates

Re: Machine certificates

I'm sure somebody else can give a better explanation, but:

From what I know, a certificate is electronic credentials of a sort that certifies that your device is safe to communicate across the internet/network. Not a virus. Who can add to that? =^..^=

Re: Machine certificates

Thanks David. I ran into an off lease 6004 that I could only access the WIM using Firefox, and even then it stated a security risk because the certificate was "self signed". My brain said WTF. However, it did let me get past that and use the WIM like normal. Just something new to me.

Re: Machine certificates

I seem to remember from Kyoceras, that specific certificates (files) can be downloaded for specific machines/applications. Naturally older machines predated that requirement. =^..^=

Re: Machine certificates

The WIM access sounds like someone set up a Device Certificate especially if you have to access WIM as HTTPS. Device Certificates are often used in conjunction with an app that communicates to a local accounting or tracking software. Once into WIM as admin, delete any Device Certificate. It could also be a self signed Site Certificate but that would also affect ability to send email as most SMTP require a Site Certificate signed by a recognized internet Certificate Authority.

Re: Machine certificates

Hey Mika,
You're not alone, not fully understanding the Device certificate thing .
What I do know, is if the security settings shown in my attached pic are not set as shown - but rather to something like "ciphertext only" or "Encryption Only" you will receive Security / Certificate error messages when trying to use the WIM.
It may not be the case for you, but something to look for

Device Certificates.jpg

Re: Machine certificates

This is my understanding...

Certificates are used to establish a trust between the device and the Network or application, and are generally used in conjunction with the TLS/SSL protocols.
There are Certificate Authority signed certificates, (CA Cert) public and Private.

Public CA certs are for connections to and from web servers and are generally signed by a trusted cert authority such as digi cert
Private CA certs are for internal network coms to and from the device and can be signed by a trusted cert authority or by the internal network using Microsoft CA

Self signed are similar but the key and certificate are generated by the device as a trusted source (this is the weaker option).
Most devices will have a self signed certs as default.

Private CA certs are generally given by the customer IT to load onto the device, this then will encrypt any connections using the TLS/SSL protocols - If a device has no certificate installed it may not be trusted on the network and connections may not be made.

So imagine the scenario...
The device goes to scan to email via the SMTP server
The server says have you got a certificate ?
The MFD says yes here you are.
The server checks and says yes I like you, you have got the correct certificate.
MFD communicates scan information (encrypted to and from the server)

Re: Machine certificates

Good description of the Site certificate which before I retired an MFP had only one. Most internal network coms use Device certificates of which a device can have more than one as each application that needs to communicate to either another MFP or a software has its own certificate to identify itself. Many are created by the application as with @REMOTE.

Re: Machine certificates

Certificates are needed for a couple of things. Certificates hold the public encryption keys, they can also provide proof of senders/ receivers identity (that's the big one). They are hashed (If someone tries to change them, the hash count will have changed) It is basically a way to say that if an email or scan comes from the copier, there is no doubt it came from the copier.

So say you get an email from Amazon, your email service checks the certificate authority to verify that the certificate is from Amazon. Same with online webpages. A self signed certificate is basically the same functionality as a signed certificate except it is not held with a governing entity. In high security areas, there is a local certificate authority that will create a certificate for the copier which you enter into the copier. Otherwise a self signed certificate is fine. Chrome, Firefox, etc will throw up a warning basically to cover their backs.

Self signed is less secure because anyone can make them, but functionally they are the same.

Re: Machine certificates

Is that like saying saying "I think I am therefore I am, I think"

Re: Machine certificates

I went thru the rhonpm school of security certificates. It's a long winding road and I've forgotten some of it.


What I do remember is CA - Certificate Authority. I'm gonna leave it there before my head starts to hurt.

PS - If I remember correctly, there are trusted certs for your local network and then there are trusted certs for things outside of your network - websites, servers, ect. And I believe there are over 100 trusted certificate authorities around the world.

Re: Machine certificates

I just ran into this issue today when trying to access a webpage, it was blocked from Edge and Firefox but would work through IE.

Re: Machine certificates

It may have been an expired certificate that Edge and Firefox no longer recognized. IE being no longer supported by Microsoft didn't care. Firefox should have given you the option to examine the certificate and over ride if you so desired.

Re: Machine certificates

The fun part comes in when the site certificate on an MFP expires and you have to manually update it. As an example, when the MP C2051/2551 launched on February 1, 2011 it had support for Scan to E-mail but did not have a site certificate preinstalled. On the 9th they published a Knowledge Base document on how to install one using either IE or Firefox as the source for obtaining the certificate. At that time the certificate from Firefox they recommended was the [Google Internet Authority] listed under [Equifax]. A number of years later when that certificate expired, the Equifax authority no longer existed on the latest version of Firefox, the older version still only had the expire certificate. I was able to find the Google Internet Authority is underGlobalSign and it worked. Now Google Internet Authority is no longer exists but there are now 4 GTS Root Builtin Object Token certificates and 2 Software Security Device certificates under Google Trust Services LLC.