DWS certificate management

DWS presents web site certificates for the following:

  • 8444: Used by Unified Clients, including the Unified Client for Konica Minolta. This certificate is signed by a self-signed CA that DWS generates.

  • 8443: Used by other ControlSuite clients. This certificate is self-signed.

These certificates have the following attributes:

  • DWS generates the certificates using SHA-256 when DWS starts.

  • DWS certificates expire five years from the date they were generated.

  • DWS checks the presence of valid certificates during startup. If a DWS-generated certificate has expired or is invalid, a new one is generated.

  • The DWS root CA certificate is installed during the device registration process. When it has expired after five years, a new DWS root CA certificate is generated, but it must be manually installed on devices.

To use your own certificate, you need the certificate bundle and the private key and follow these instructions:

  • If the certificate file you received from the signing authority contains both the certificate bundle and the private key (often in a .p12 or .pfx file), follow the instructions in Use an alternate certificate store.

  • If the file you received from the signing authority does not include the private key, follow the instructions in Import an alternate certificate.

When you have completed the applicable steps, complete the procedure as shown in After changing the DWS certificate.

Use an alternate certificate store

If the certificate file you have is a file that contains both the certificate bundle and the private key (such as .p12 or .pfx) then use the following steps to use it as the DWS certificate.

  1. Locate the DWS configuration folder.

    For example: C:\Windows\System32\config\systemprofile\AppData\Local\Nuance\Integrated\DWS\webserver\conf\

  2. Copy the certificate file to the DWS configuration folder.
  3. Edit the server.xml in the DWS configuration folder as follows:
    1. Find the Connector node that includes port="8444".
    2. Change the path for keystoreFile to point to the certificate file.
    3. Change the keystorePass to the certificate private key value.

    The following shows the updated file with the fields to change in bold.

    <!-- Unified client connector to be used when dealing with root ca signed certificates -->
    <Connector SSLEnabled="true" allowUnsafeLegacyRenegotiation="true" ciphers="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256" clientAuth="false" customerModifiedCiphers="false" enableLookups="false" executor="nuanceThreadPool" keepAliveTimeout="5000" keystoreFile="C:\Windows\system32\config\systemprofile\AppData\Local\Nuance\Integrated\DWS\webserver\conf\dws-signed-server-key.jks" keystorePass="aHfjAqybdMuagPGMt2sr9w==" maxHttpHeaderSize="32768" maxThreads="150" parseBodyMethods="POST, PUT" port="8444" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" server="DWS" sslEnabledProtocols="+TLSv1+TLSv1.1+TLSv1.2+SSLv2Hello" unifiedClientConnectorName="root-ca-signed-connector"/>
    
  4. Complete the procedure as shown in After changing the DWS certificate.

Import an alternate certificate

If you generated the certificate signing request with keytool, the keystore contains the private key. Use the following steps to update DWS to the certificate you received from the signing authority.

  1. Locate the DWS installation folder.

    For example: C:\Program Files\Kofax\Shared Services\DWS

  2. Locate the DWS keystore path.

    For example: C:\Windows\System32\config\systemprofile\AppData\Local\Nuance \Integrated\DWS\webserver\conf

  3. Find the keystore password in the keystorePass attribute in the server.xml file in the same folder.
  4. If you have a certificate bundle file that includes the certificates for the issuing authorities as well as the server certificate, import the bundle in one step; skip to step 5.

    If you have the individual certificates, import each one separately starting with the root CA and then importing each in the chain with a distinct alias as follows.

    "<DWS Installation Folder>\JDK\jre\bin\keytool.exe" -import -file "<Certificate file>" -keystore "<keystore path>\dws-signed-server-key.jks" -alias <provide a unique alias for each CA>
  5. If you have a certificate bundle file that includes the certificates for the issuing authorities as well as the server certificate, you can import the bundle in one step.
    "<DWS Installation Folder>\JDK\jre\bin\keytool.exe" -import -file "<Certificate file>" -keystore "<keystore path>\dws-signed-server-key.jks" -alias tomcat
  6. Verify that the certificate was imported correctly by running the following command and checking the output.
    "<DWS Installation Folder>\JDK\jre\bin\keytool.exe" -keystore "<keystore path>\dws-signed-server-key.jks" -list

    Text similar to the following should appear. If it does not have PrivateKeyEntry, the certificate will not be used by DWS.

    tomcat, Jan 20, 2021, PrivateKeyEntry,
  7. Complete the procedure as shown in After changing the DWS certificate.

After changing the DWS certificate

  1. Restart DWS.
  2. Run DWS Server Web Admin.
  3. Click Security tab.

    The certificates identified by DWS are listed.

  4. Scroll to the Server Certificates section at the bottom.
  5. In the row for the DWS server, click the Re-pin link.
  6. Repeat steps 25 for each DWS in your high-availability configuration.
  7. If the certificate authority is not trusted by your devices, you may see the message, Certificate Security credentials could not be verified. To resolve this, add the certificate authority to trusted root certificates list on the device by going to Security > External Certificate Setting.