How to Enable SSL in On-Demand

Ports reservation are done automatically at service startup in NPrinting 14.0.0.12 or higher releases. In some installations, you must reserve TCP ports listening for the On-Demand service process.

After opening a Command Prompt as Administrator, check if SSL is enabled:

1. Enter netsh http add urlacl url=https://+:9000/ user=DOMAIN\user , replace DOMAIN\user with the domain and the name of your NPrinting Server account
2. Enter netsh http add urlacl url=https://+:9001/ user=DOMAIN\user

If a port is reserved by another process and you are sure you can use it with On-Demand, remove the reservation before enabling it typing the following:

Enter netsh http delete urlacl url=https://+:9000/ (replace 9000 with target TCP port and http with https if SSL is enabled)

If you already have a SSL certificate, go directly to "Get the Certificate Thumbprint" step further below in this tutorial.

After logging in with your NPrinting Server account, download and install "Microsoft Windows SDK for Windows 7 and .NET Framework 4" if your system does not have "makecert" installed.

Select Tools during the installation and finish the installation

Right click on Windows SDK 7.1 Command Prompt and select Run as administrator

1. Enter cd C:\Program Files\Microsoft SDKs\Windows\v7.1\bin
2. Enter makecert -sv C:\SignRoot.pvk -cy authority -r C:\signroot.cer -a sha1 -n "CN=Dev Certification Authority" -ss my -sr localmachine to create a trusted certificate only for tests. Refer to "Makecert.exe (Certificate Creation Tool)"
3. Enter a password
4. Click OK. If necessary retype the password

This command create a certificate (.cer) and a Private Key (.pvk) in C:\ root folder.

Execute the command mmc.exe then:

1. Click on File
2. Select Add/Remove Snap-in...

1. Select Certificates from the list
2. Click on Add > to import the selected element in the console and a new window will appears

1. Select Computer account
2. Click on Next

After clicking on Finish, click on OK

1. Move into Certificates -> Personal -> Certificates
2. Select Dev Certification Authority and drag and drop it into Trusted Root Certification Authorities

After returning to the Command Prompt:

1. Enter makecert -iv C:\SignRoot.pvk -ic C:\signroot.cer -cy end -pe -n CN="localhost" -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localmachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12
2. Enter the password created for the first certificate
3. Click OK

If you already have a certificate you can import it:

1. Go to Certificates -> Personal -> Certificates
2. Right-click on the empty list and select All Tasks -> Import...

After reopening the Microsoft Management Console and clicking F5:

1. Double click on localhost or on your certificate into Certificates -> Personal -> Certificates
2. Open the Details tab
3. Select from the list Thumbprint
4. Select the thumbprint and copy it into Notepad and remove the spaces, the number will be different from the screenshot

After opening a Command Prompt as Administrator:

1. Enter netsh http delete sslcert ipport=0.0.0.0:9000
2. Enter netsh http delete sslcert ipport=0.0.0.0:9001

If you get the error "SSL Certificate deletion failed, Error: 2 The system cannot find the file specified." means that there weren't certificates bound to these ports.

Netsh command works only starting from Windows Vista and Windows Server 2008, if you use an older version refer to "How to: Configure a Port with an SSL Certificate"

1. Go to "Online GUID Generator"
2. Enter 2
3. Check all three boxes
4. Click on Generate some GUIDs!
5. Select and copy these two GUIDs into your Notepad,  the GUIDs will be different from the screenshot.

After reopening the Command Promt:

1. Enter netsh http add sslcert ipport=0.0.0.0:9000 certhash="thumbprint" appid={GUID} , replace "thumbprint" with your thumbprint and "GUID" with one of your GUIDs previously copied into the notepad without quotes (e.g. netsh http add sslcert ipport=0.0.0.0:9000 certhash=‎c494745efa0aef0467fb4a87e1712922c19b7dbc appid={CD57FF9A-FBF8-4215-873B-116253E65ED1})
2. Enter netsh http add sslcert ipport=0.0.0.0:9001 certhash="thumbprint" appid={GUID} , replace "thumbprint" with your thumbprint and "GUID" with your second GUID (e.g. netsh http add sslcert ipport=0.0.0.0:9001 certhash=‎c494745efa0aef0467fb4a87e1712922c19b7dbc appid={3AB66D52-BB62-4AAE-8E29-29A5D2B07D3B})

Enter netsh http show sslcert

Using this command is possible to see all the SSL certificate added. If all step have been performed correctly, you will see the certificates which you added in previous steps.

1. Go to C:\Users\{UserName}\AppData\Roaming\NPrinting\ODS (e.g. C:\Users\NPrinting\AppData\Roaming\NPrinting\ODS)
2. Open ods.config with a text editor

• WsEnabled and HttpEnabled enable or disable the WS and HTTP endpoints respectively.
• WsHostname and HttpHostname are the DNS hostnames of  the WS and HTTP interfaces respectively as they appear to clients. If you enable SSL, these names must be the same as indicated in the SSL certificate. (e.g. localhost)
• WsPort and HttpPort are the TCP ports used for the WS and HTTP interfaces respectively. If both endpoints are enabled these ports must be different.
• WsEnableSSL and HttpEnableSSL enable or disable the SSL protocol in the respective interface.

1. Enter localhost in the WsHostname and HttpHostname value field
2. Type true in the WsEnableSSL and HttpEnableSSL value field
3. Save and Close

If you want to use SSL you must enable SSL on ON-Demand Components

1. Click on View
2. Select Turn on/off WebView
3. Right-click on each button and click on Properties

1. Select On-Demand service connection
2. Check Use SSL

After opening the Services manager:

1. Select NPrinting Server service from the list
2. Click on Restart

If you go to https://localhost:9000/ods, you can see the a green padlock and that the certificate has been accepted.

NOTE: NPrinting On Demand does NOT support reverse proxy server configurations nor software/hardware web load balancers at this time. It is currently designed to work with http or https in a non load-balanced front environment where ports 9000 and 9001 are left open for use with NPrinting On Demand Exclusively.