Device certificate management

During the installation from DRS, the device certificate is validated against a known certificate authority (CA) to provide a secure connection with the device. If the device certificate is not from a known CA, the certificate is pinned. Secured connections with DWS fail if the certificate cannot be validated or if the certificate does not match the certificate that was pinned during install.

Some Xerox devices has a certificate from a known Xerox Root CA. These are automatically accepted by DWS. See the Xerox device document for information about certificates.

If you use your own certificate, it will need to be pinned. You can unregister and register the Unified Client on the device to re-pin the certificate automatically. Alternately, you can pin the certificate manually with these steps.

  1. Locate the pinned device certificates by searching for dws.jks in the DWS folder.

    For example: C:\Windows\System32\config\systemprofile\AppData\Local\Nuance\Integrated\DWS\webserver\webapps\DwsMain\WEB-INF\felix-cache\bundle20\data

  2. Delete the current pinned certificate for the device. This enables you to replace the certificate without having to unregister and register the device again. Certificates have an alias, such as xeroxuc devicehostename 0. Do the following:
    1. List the certificates to locate the alias for the certificate. Use the following command to list the contents of the keystore.

      The keytool.exe program is located in the DWS Installation Folder. (For example: C:\Program Files\Nuance\Shared Services\DWS)

      "<DWS Installation Folder>\JDK\jre\bin\keytool.exe" -list -v -keystore "<Keystore File>"

      If you only want to list the aliases, use this command:

      "<DWS Installation Folder>\JDK\jre\bin\keytool.exe" -list -v -keystore "<Keystore File>" | findstr Alias
    2. Delete the existing certificate by using the following commands.
      "<DWS Installation Folder>\JDK\jre\bin\keytool.exe" -delete -alias "<alias>" -keystore "<Keystore File>"
  3. Import the certificate as follows:
    • To import a CA certificate, use the following command. Enter the alias of the certificate that you removed earlier.

      "<DWS Installation Folder>\JDK\jre\bin\keytool.exe" -import -file "<Certificate file>" -alias "<alias>" -keystore "<Keystore File>"
    • To import your device certificate, use the following command. Enter the alias of the certificate that you removed earlier.

      "<DWS Installation Folder>\JDK\jre\bin\keytool.exe" -import -file "<Certificate file>" -alias "xeroxuc devicehostename 0" -keystore "<Keystore File>"