Device certificate management

During the installation from DRS, the device certificate is validated against a known CA to provide a secure connection with the device. If the device certificate is not from a known CA, the certificate is pinned. Secured connections with DWS fail if the certificate cannot be validated or if the certificate does not match the certificate that was pinned during install.

If you use your own certificate, it will need to be pinned. You can unregister and register the Unified Client on the device to re-pin the certificate automatically. Alternately, you can pin the certificate manually with these steps.

  1. Locate the pinned device certificates by searching for dws.jks in the DWS folder.

    For example: C:\Windows\System32\config\systemprofile\AppData\Local\Nuance\Integrated\DWS\webserver\webapps\DwsMain\WEB-INF\felix-cache\bundle20\data

  2. Stop the Device Web Server service.
  3. Delete the current pinned certificate for the device. This enables you to replace the certificate without having to unregister and register the device again. Certificates have an alias, such as "konicaminoltauc devicehostename 0." Do the following:
    1. Get the password needed to use keytool.exe. You can find the password in server.xml in the keystorePass attribute. The server.xml file is typically located in C:\Windows\System32\config\systemprofile\AppData\Local\Nuance\Integrated\DWS\webserver\conf\.
    2. List the certificates to locate the alias for the certificate. Use the following command to list the contents of the keystore.

      The keytool.exe program is located in the DWS Installation Folder. (In this example, the path is C:\Program Files\Kofax\Shared Services\DWS.)

      SET DWSFOLDER=C:\Program Files\Nuance\Shared Services\DWS
      
      SET KEYSTOREFILE=C:\Windows\System32\config\systemprofile\AppData\Local\Nuance\Integrated\DWS\webserver\webapps\DwsMain\WEB-INF\felix-cache\bundle21\data\dws.jks
      
      "%DWSFOLDER%\JDK\jre\bin\keytool.exe" -list -v -keystore "%KEYSTOREFILE%" | findstr Alias
    3. When the Enter keystore password prompt appears, press Enter.
    4. Delete the existing certificate by using the following commands.
      SET ALIAS=<Alias retrieved from previous step>
      
      "%DWSFOLDER%\JDK\jre\bin\keytool.exe" -delete -alias "%ALIAS%" -keystore "%KEYSTOREFILE%"
  4. Import the certificate by doing the following:
    1. Use the following command and note the following:
      • Enter the alias of the certificate that you removed earlier.

      • Use the same certificate that is active on the device.

      SET CERTIFICATEFILE=<Path to certificate file>
      
      "%DWSFOLDER%\JDK\jre\bin\keytool.exe" -import -file "%CERTIFICATEFILE%" -alias "%ALIAS%" -keystore "%KEYSTOREFILE%"
    2. Enter the keystore password when prompted.
    3. When you get the Trust this certificate prompt, type yes and press Enter.
  5. Start the Device Web Server service.