Onboard a HP printer through self-onboarding

In this topic, you will learn how to onboard using the self-onboarding portal, a HP printer compatible with 802.1X, a Windows computer, the HP Smart application, and a Wi-Fi network managed by Portnox™ Cloud.

Before you begin, please note the following:

  • In this procedure, you use the Windows computer to configure the printer remotely, to get the certificate for the printer from the self-onboarding portal, and to add a password to the private key. You can also do these steps on a macOS system. However, to add a password to a private key on macOS, you will need to install and use third-party software such as OpenSSL.

  • If you want Portnox Cloud to generate a certificate for your printer through the self-onboarding portal, you must first create a user account that represents the printer in your integrated authentication repository or directly in Cloud. You must then be able to log in to the self-onboarding portal using that user account. After you complete the onboarding procedure, we recommend that you disable user logins for this account in your authentication repository or change the password if you use Cloud as your authentication repository. While we recommend creating individual accounts for each printer, you can also use a common user account for all printers or current user accounts.

  • We know that the following HP printer models are compatible with 802.1X Wi-Fi networks: HP LaserJet Pro 3001-3008, 4001-4004, MFP 3101-3108, 4101-4104. If your printer model is not one of these models, consult your documentation or contact your HP sales representative to find out if your HP printer is compatible with 802.1X. The HP Embedded Web Server currently does not support 802.1X for wired networks.

  • Update the firmware on your printer to the latest version. We have encountered problems with 802.1X connectivity caused by outdated firmware.

  • We assume that you use the HP Smart software to manage and configure your printer. If not, please download and install HP Smart from the Microsoft Store and make sure you can connect to your printer using this software before you add the new certificate. While you can also configure the printer using the HP Embedded Web Server and a browser, this will become difficult after you install the new certificate, because HP printers use the same certificate for 802.1X authentication and for browser authentication, and browsers may be unable to recognize the self-signed certificates generated by Cloud.

  • The HP Embedded Web Server also supports authentication with credentials. However, it only supports LEAP and PEAP EAP methods, which are not secure. Therefore, we do not recommend and we do not provide instructions on setting up HP printers with credential-based 802.1X. If you must use credentials, Portnox Cloud supports PEAP, but only with the latest HP firmware installed.

Download the root CA certificate from Portnox Cloud

In this section, you will download the Portnox™ Cloud root CA certificate from the Cloud portal.

HP Smart asks you to upload a root CA certificate when configuring 802.1X connections. This is necessary so that the printer can verify the validity of Cloud RADIUS servers, which have certificates signed by this root CA certificate.

  1. In the Cloud portal top menu, click on the Settings option.

  2. In the Cloud portal left-hand side menu, click on the Services > CLOUD RADIUS SERVICE > Cloud RADIUS instance option.

    The right-hand pane shows the list of active servers.

  3. Click on any of the active RADIUS services to show its configuration.
  4. Click on the Download root certificate link to download the root CA certificate.

    Save the file on your disk to use it later. The default name of the file is rootCertificate.cer.

Authenticate with the self-onboarding portal and download the certificate

In this section, you will learn how to authenticate with the self-onboarding portal using your corporate identity and then download the certificate for the printer.

In the following steps, do not use your personal Portnox or corporate account. Instead, use an account that you either:

  • Created for the printer in one of your authentication repositories

  • Created for the printer in Portnox Cloud (Portnox account) or

  • Want to create for the printer in Portnox Cloud (Portnox account).

Note: The Portnox account does not need to exist yet. However, you must already have access to the email address you want to use, meaning that this email account must exist in your own directory or email system.
Note: To be able to use and create Portnox accounts, you must turn on the option for end-users to use and create Portnox accounts (see: Set up the self-onboarding portal).
  1. Enter the URL of the self-onboarding portal in your browser.

    To learn how to set up the self-onboarding portal and obtain the URL, see the following topic: Set up the self-onboarding portal.

  2. Click on one of the available buttons representing authentication repositories. Then, complete the authorization process as required by your authentication repository.

    Note: The buttons available on this page will depend on the authentication repositories integrated with your Portnox Cloud. It is very likely that your organization will only use one of them. The Corporate email option is available only if you configured the self-onboarding portal to allow end-users to use and create Portnox accounts using the self-onboarding portal.
    1. Optional: If the Corporate email option is available, and you want to use a Portnox account to authenticate with the self-onboarding portal, click on the button, enter your email address in the Email field, and then click on the Sign In button. Then, check your email account. You will receive a code via email. Copy the code, paste it in the Activation code field, and click on the Confirm button.

  3. In the Select your device’s operating system field, select the Windows option.
  4. Click on the Obtain Certificate button to download the certificate.

Add a password to the printer certificate’s private key

In this section, you will temporarily import the downloaded certificate and then export it again, adding a password to the private key.

By default, private keys generated by Portnox Cloud and included with certificates have empty passwords. However, HP Smart does not accept an empty password for the private key, so you need to add a password to the private key to use the certificate with your HP printer.

  1. Import the downloaded certificate.
    1. Double-click on the downloaded certificate file to temporarily install the certificate in your Windows certificate store.

      To export the private key from the certificate, you must first install it, marking the private key as exportable. You cannot export the private key directly from the downloaded certificate without installing it.

    2. In the first step of the Certificate Import Wizard, click on the Next button.

      In this step, you select the user certificate store by default. Note that you will delete the certificate after you add the password to the private key, so the selected certificate store is not important.

    3. In the second step of the Certificate Import Wizard, click on the Next button.

    4. In the third step of the Certificate Import Wizard, leave the Password field empty, activate the Mark this key as exportable checkbox, and then click on the Next button.

      You must leave the password field empty because private keys included with Portnox Cloud certificates by default have empty passwords.

    5. In the fourth step of the Certificate Import Wizard, click on the Next button.

    6. In the fifth and final step of the Certificate Import Wizard, click on the Finish button.

  2. Export the certificate and the private key, adding a password to the private key.
    1. Open the Windows Certificate Manager by typing manage user certificates in the Windows search bar and clicking on the Manage user certificates icon.

    2. In the certmgr window, go to the Personal > Certificates folder and double-click on the certificate that you just imported.

    3. In the Certificate window, go to the Details tab, and click on the Copy to File button.

    4. In the first step of the Certificate Export Wizard, click on the Next button.

    5. In the second step of the Certificate Export Wizard, select the Yes, export the private key option, and then click on the Next button.

    6. In the third step of the Certificate Export Wizard, click on the Next button.

    7. In the fourth step of the Certificate Export Wizard, activate the Password checkbox and enter a password in the Password and Confirm password fields. Then, click on the Next button.

      You will use this password later when configuring the device.

    8. In the fifth step of the Certificate Export Wizard, specify the file name to save the exported certificate and private key. Then, click on the Next button.

      You can replace the previously imported file. The .pfx and .p12 extensions represent the same file format.

    9. In the last step of the Certificate Export Wizard, click on the Finish button.

  3. Delete the temporarily imported certificate from your certificate store.
    1. Select the certificate in your certificate store.

    2. Press the Delete key on your keyboard to delete the certificate and then click on the Yes button in the confirmation window.

Result: You added a password to the private key of the downloaded certificate.

Configure the printer’s Wi-Fi connection

In this section, you will use HP Smart software to configure the printer for your Wi-Fi network managed by Portnox™ Cloud.

To be able to access the printer through HP Smart and configure the connection, you must first connect to the printer directly using Wi-Fi Direct, or connect the printer to a non-secured Wi-Fi or wired network. To connect to Wi-Fi Direct, go to Step one in the HP documentation for 802.1X connections. To connect to a non-secured Wi-Fi or wired network, follow the instructions in the printer manual or go to hpsmart.com/setup.

Note: This example is based on a HP LaserJet Pro 3002dw printer, which we connected to a secured Wi-Fi network with SSID VORLON.
  1. In the HP Smart user interface, click on the Printer Settings button.

  2. In the HP Smart left-hand side menu, click on the Advanced Settings option to open the Embedded Web Server in HP Smart.

  3. In the Embedded Web Server’s top menu, click on the Network option.

  4. Enter the PIN number for the printer and click on the Submit button.

    The PIN number is printed on a label inside the printer, in the cartridge access area.

  5. On the Network page, in the left-hand side menu, select Wireless (802.11) > Advanced.

  6. Configure the wireless network settings:
    1. In the Network Name > SSID field, enter the SSID of your network.

    2. In the Network Settings section, click on the WPA option, in the WPA Version field, select WPA2, and then click on the WPA-Enterprise option.

    3. In the Enable Protocols section, select the EAP-TLS option, and then click on the Configure button next to the Certificate Authority (CA) Certificate label.

    4. In the Install a Certificate Authority (CA) Certificate section, click on the Choose File button, select the root CA certificate file that you downloaded earlier from Portnox Cloud, and then click on the Finish button.

    5. Click on the Configure button next to the Printer Certificate label.

    6. In the Printer Certificate Options pane, select the Import a Certificate and Private Key option and click on the Next button.

    7. In the Import a Certificate and Private Key pane, click on the Choose File button, choose the certificate that you obtained from the self-onboarding portal (the file with the added private key password), in the Password field, enter the password you chose for the private key, and then click on the Finish button.

    8. Click on the Apply button to apply your changes and connect to the secured Wi-Fi network.