Zebra ZD420t Desktop / ZD420t-HC Healthcare Printer WLAN Certificate Management in PPME (en)

WLAN Certificate Management in
Printer Profile Manager Enterprise

Example Setup of the Automatic Printer Certificate Renewal Feature

Applies to Printer Profile Manager Enterprise version 3.1.x and later

P1124537-01EN Rev. A

The purpose of this whitepaper is to establish a “real world” example of a company with several locations
facing common challenges when setting up wireless security certificates in Printer Profile Manager
Enterprise (PPME). (This also assumes that all the printers targeted for security certificates are running
Link-OS v6.0 or later.) Let’s walk you through the company details and setting up the security certificates.

The fictional company, BC Company, has two stores, and each has their own unique network and time
zone. Store 1 is in the Eastern time zone, while Store 2 is in the Pacific time zone. Both stores are
remotely managed from a third HQ location.

Each store runs a similar wireless network with WPA2. However, Store 1 uses an RSA-2048 based
certificate, and Store 2 uses a SECP512R1 ECDSA based certificate. Both stores’ certificates use a
SHA-256 digest.

To avoid store working and inventory hours, certificate provisioning should only occur between 1AM and
4AM local store time.

The certificate signing server used by BC Company is a Microsoft (MS) Active Directory Certificate
Services server with NDES enabled. Additionally, the server is configured to auto-sign certificate
requests. This is important as the provisioning window is outside normal business hours, so manual
approval would prevent certificate provisioning from occurring during the desired time.

Finally, the signing server is configured to sign certificates for 30 days. To allow the stores time to update
their mobile printers, the certificate update window is seven days prior to certificate expiration and is
checked daily.

2

CA Server Setup

Objectives

Within this section, you will:

• Set up your CA Server

• Add specific CA details

Checklist

Type

CA Server Full URL

Polling Timeout (minutes and seconds)

CA Server Description

Challenge Type

Challenge Password

Username

User Password

CA Certificate (if you have a saved local copy)

Certificate Password

3

CA Server Information

In our scenario, we are using the following information:

• Type: Microsoft ADCS NDES 2019

• CA Server Full URL: https://ndes.bccompany.com/certsrv/mscep_admin/mscep.dll

• Polling Timeout (seconds): 120

• CA Server Description: BC Company CA Authority

• Challenge Type: Dynamic – BC Company’s CA generates a new password per signing request

• Challenge Password: N/A as our Challenge Type is dynamic, in static configurations this would

be used

• Username: store_signing

• Password: Bz93CLdk1!ks

• Server Certificate, Certificate Password: N/A for BCCompany, but could be used in certain CA

configurations

Procedure to Set Up a CA Server

1. To create a CA server, in the top menu of PPME, select Certificate Authorities from the
Certificates tab.

2. From the Certificate Authority landing page, click Add Certificate Authority Server.

3. In the configuration page, enter the information outlined above:

Enter the CA Server full URL. For this scenario, the CA Server name is:

https://ndes.bccompan y.com/certsrv/mscep_admin/mscep.dll

4. The Polling Timeout is set to 2 minutes or 120 seconds.

PPME needs to check with the signing server to see if the certificate has been signed.
Two minutes has been selected in our case to be often enough to update the certificate
quickly, but with enough time between requests to prevent overloading the CA server.
This value should be selected in conjunction with your security team to ensure proper
function with your CA server.

4

5. Description is set to “BC Company CA Authority”

Our server requires an authorization certificate in order to process a signing request. If
your server requires an authorization certificate, you may upload it using the Server
Certificate field. This is not needed in all scenarios, but the IT department of BC
Company requires this in order to increase the security of the system.

6. Username and Password are set to match the IT-provided account for automated signing
purposes, in this case: store_signing:Bz93CLdk1!ks

7. Click Save.

During the save process, PPME will attempt to connect to the CA server using the
configuration you provided. The configuration will not save until the configuration works
with the CA server.

You now have a CA server configured, now we need to setup a “Certificate Management Item” for our
two stores.

5

Set Up Certificate Management Items

Objectives

Within this section, you will:

• Set up Certificate Management Items (CMI) for Store 1 and Store 2

• Add specific CA details

Checklist

Server Address

Challenge Password for Signing Server

Message Digest

Encryption Algorithm (and Key Size/Curve)

Update Certificates (Grace Period)

Common Name of the printer

Organization

Organizational Unit

Email Address

City

State

Country

Alternative Name

Name of the CMI

Description of the CMI

6

Procedure to Create a Certificate Management Item (CMI) for Store 1

1. To create a CMI, under the “Certificates” tab, select Certificate Management Items.

2. In the landing page, click Create Item.

3. Now you will see a list of all the information you will need to create a CMI, feel free to click the
“Do not show this next time” checkbox at the bottom if you don’t want to see it again. Click Next.

7

4. For Store 1, we are using the following configuration:

a. Server: CA server configured in the previous section
b. Message Digest: SHA-256
c. Encryption Algorithm: RSA (2048)
d. Update Certificates: 7 Days Before Expiring

For this scenario, there is only one CA server set up, signing.bccompany.com, but if your
configuration has multiple servers, be sure to select the appropriate server for your
specific purpose.

5. The message digest and encryption algorithm must match the configuration of the printer’s
network.

6. Finally, the Update Certificates sets the grace period for the certificate. Select the number of
days for the grace period. The grace period is the number of days before the certificate expires
during which the new certificate will be requested, signed, and sent to your printer.

For this scenario, we need to be sure to balance the server configuration, certificate
configuration, and device usage. The BC Company’s signing server is configured to
allow certificate re-issuance at 50% of the certificate’s life span. The certificates for our
networks last 30 days.

For BC Company’s scenario, certificates won’t be renewed if they are less than 15 days
old. Because we can’t guarantee that all devices will be powered on for any specific day,
we have selected a range of 7 days for the reissuance window. This minimizes the
possibility of a device not being updated, while still conforming to the configuration
allowed by the CA server and device network.

7. Click Next.

8

8. Now, we need to setup the recipe used to generate the printer’s individual certificate. BC
Company’s recipe looks like:

a. Common Name: MAC Address – this is how the certificate is tied to the printer. In our

case, we are using the printer’s MAC address as the printer’s uniquely identifiable

information.
b. Organization: BC Company
c. Organizational Unit: Store 1
d. Email Address: admin@bccompany.com
e. City: New York
f. State: NY
g. Country: United States
h. Alternative Name: N/A – we are not using this field in our configuration.

For this scenario, both stores use a SHA-256 message digest. The CSR message
digest is configured by the network admins and must match their configuration. It is
possible for different sites to have different message digest sizes.

9. Click Next.

9