Trying to do automatic certs for printer login pages.
Posted by z0mb13r3dd1t@reddit | sysadmin | View on Reddit | 33 comments
Hello!
I’ve been working on securing our printer login pages across about 30 printers in 13 locations.
Recently, I started experimenting with Caddy and NGINX Proxy Manager, but I haven’t been able to get either working as expected. The printers use port 8000 for the main login page, and when accessing security settings, they redirect to port 8443.
At this point, I’m starting to wonder if this setup is even possible, or if I’ve misunderstood something in the configuration.
So far, I’ve been testing primarily with a Canon MFP printer (model: IR-ADV C3926). I’ve seen that it supports SCEP, and we currently use Intune SCEP for issuing certificates to user devices. However, I’m unclear on how to properly configure this for printers.
From what I can tell, it seems like I might need to set up a separate NDES server with a static challenge password—but I’m not sure if that’s the right approach.
Has anyone implemented something similar?
How did you secure printer web interfaces?
How do you handle automatic certificate renewal on devices like printers?
Any guidance would be appreciated. Thanks!
mjewell74@reddit
So what you'd need to do is assign a DNS name to each printer, then generate certs for each one, the reason you need DNS is most providers won't generate certs for IPs instead of DNS names.
If you install OpenSSL on your computer you can generate private keys and CSRs to upload, then load the returned cert and key on the specific printer.
TheFluffiestRedditor@reddit
Ewwwww never recommend creating certs manually with OpenSSL. Unless you really hate someone.
mjewell74@reddit
I've written scripts for it, very easy once you know the command lines.
TheFluffiestRedditor@reddit
I wore my first management scripts for OpenSSL in 2004. I learned a lot, but it was hideous and unnecessary. It’s even less fit for purpose now, as there are so many better options that don’t require a hundred hours of learning to understand and use.
mjewell74@reddit
Dude, it's 3 lines to generate an ECC key and certificate request and verify it, it's not rocket science... you're not building an entire CA...
openssl ecparam -name secp384r1 -genkey -noout -out %2_ECC.pemopenssl req -new -sha256 -config req.conf -reqexts v3_req -key %2_ECC.pem -out %2.csropenssl req -text -noout -verify -in %2.csrmy script even creates the req.conf including SAN entries for you...
IlPassera@reddit
Why do you even need them? The only people who access our printers via the login page is IT so we just leave them cert-less. Printers should not be exposed to the internet so there's no real reason to put a cert in front of them.
z0mb13r3dd1t@reddit (OP)
Main reason we're trying I think is because our required pen tests keep flagging them as "Unsecured login pages". While I agree it's not a critical issue, we're just trying to do better and learn more about zero-trust infrastructure in general. My boss asked me to look into ways to secure the pages and I was hoping to find a better way than manually generating certs and deploying, if possible.
IlPassera@reddit
Why can your pen testers even reach those pages? They should be on a secured subnet with firewall rules so that only your techs can access them over 443 or 80. Unless you're giving your pen testers privileged accounts they shouldn't even be able to reach them. This is a firewall issue, not a certificate issue.
ajf8729@reddit
This!!!!!! This is what we call “compensating controls” that silly InfoSuck folks that just read Nessus dashboards refuse to comprehend. Printer admin interfaces should only be accessible from like 1 subnet or jump box or whatever, and then who cares. The admin password for all of them is likely identical and dumb anyway.
Casty_McBoozer@reddit
What do you do for vulnerability scanners? Do you firewall those off? Accept the self signed SSL risk?
IlPassera@reddit
A vulnerability scanner wouldn't even know that subnet exists. Nothing would respond because it's not running on a network that would allow communication.
Casty_McBoozer@reddit
So your answer is that you firewall off your vulnerability scanner.
Arudinne@reddit
This is the way. We have our printers segmented off into their own VLAN/subnet and only the print server and IT users can reach them, and even then only on specific ports.
ShelterMan21@reddit
Do you guys allow Air Printing? Maybe it's because I have only been in smaller environments but when I have put printers on their own subnets Air Printing breaks 9 times out of 10 and using something like MDNS to redirect the traffic doesn't work either so I am assuming it's a non issue because Air Printing is outright now allowed.
IlPassera@reddit
Absolutely not. Air printing is a security risk.
Arudinne@reddit
We don't allow it and disable it on any printer that supports it.
In additionm Cell phones are not allowed on the corporate network. Guest only. Guest network is firewalled off from everything else only has internet access.
Macs can either access the printers through good ol' fashioned SMB or via Universal print.
ShelterMan21@reddit
I wish some of my small business clients didn't rely so much on printing from their phones or else I would lock it down more but they also never get pentested.
vppencilsharpening@reddit
Don't forget to secure outbound too. We have like four devices that can connect to a mail relay endpoint for sending scans and everything else is isolated to the printer network zone.
I'm considering killing printer-to-printer traffic with ACLs, but feel a little paranoid doing that.
z0mb13r3dd1t@reddit (OP)
Thank you!
z0mb13r3dd1t@reddit (OP)
Thank you for the insight! I'll bring this up to my team to see if this is a more feasible route for us to go. Most of our sites have very basic networking. I think we have a wired subnet and wireless subnet, that's it. All sites are tied together via vpn tunnels.
Vodor1@reddit
It may void the pen test at some level. For the most part they won't see the devices but half of the point of it is the vulnerability scan side (I presume you do this too) so you really need to know if the printers are vulnerable as well, even if no one but your techs can see them.
Also, on reports you should be able to mark them as acceptable - Remember, there is no such thing as a perfect network.
ErrorID10T@reddit
It's possible the pen testers may request being given access to scan even the isolated networks, in which case you let them do their scans, highlight every complaint they have about "unsecured devices" on that network, and write it off as an exception based on the network isolation that has been put in place for devices which only support self-signed certificates. I usually find pen testers and auditors are quite happy with any solution to the vulnerability, and isolating or quarantining the device is a perfectly acceptable solution.
Ciconiae@reddit
Setting up a proxy may not solve your problem. The pen testers will want access to the VLAN with the printers with the angle of testing what happens if someone gets into the trusted part of your network. You might be OK if you also configure the printers themselves to only accept traffic from your proxy and print server(s).
Other option is to get the right people to check the box of accepting the risk. Which is the nice way of telling the pen testers to fuck off.
Commercial-Fun2767@reddit
I’m thinking that’s like cleaning the floor with a tooth brush. Really great result but we don’t have time.
Reverse proxy with ssl looks good enough, but can’t you get screwed because it’s not ssl between the proxy and the device? Better than nothing but still…
Just isolate and monitor. And least privilege. And patch.
Adam_Kearn@reddit
At the end of the day is it really worth it?? If yes then go for it.
But personally I’m not that bothered. I would rather only allow one specific VLAN to access local HTTP services like printers and switches.
Then just assign that VLAN to my computer only.
If you really wanted to do this then one of these two ways would be how to go about this.
——
You will need to create your own certificate authority (choose a life span of 100 years).
If you are running AD then just install the roll on one of the servers. (You might already have this setup)
You then create another certificate using this CA for the IP address of the printer as the hostname instead of domain/dns name.
Go to the printers web ui and enroll both the CA and certificate to the device.
Under the port settings under interfaces you will see a HTTPS port (:443). Enable this and disable the normal HTTP (:80) port.
Then push the CA out to all the devices you want to access this on.
If you have other services within your network you could use the same CA.
——
The other option which is a lot easier and also saves you the hassle of dealing with every device you own.
Create a VM and install Nginx Proxy Manager.
Create a new DNS zone called something like “infra.domain.com”
Create CNAME records for all your devices and services pointing them to the FQDN of the proxy manager “proxy.infra.domain.com”
“main-office-printer.infra.domain.com”….
Create this as an entry in the proxy manager and set the port to be the HTTP one.
On your firewall block all HTTP traffic coming from your internal network or VLAN
Add an exception to this rule if the traffic is coming from the IP address of the server running the proxy manager.
Then you can only access the non SSL services though the proxy.
When clients use the DNS name it should route the traffic correctly and provide an SSL cert.
The benefit of doing it this way means you only need to manage and maintain one single service and only need to replace the cert yearly once…instead of messing around with each printer.
z0mb13r3dd1t@reddit (OP)
I've been trying to do the Nginx proxy manager, but I think I've done something wrong. I have the CNAME record made, and I've set up the printer FQDN and IP as proxy host in NPM, but when I browse to the FQDN, it just redirects me to the printer page with no cert. I've tried specifying https and I've set the force SSL option, but no luck so far.
Adam_Kearn@reddit
Can you take a photo of the proxy manager? And also one of what you have set in the DNS for the record?
The DNS name should be pointed to the proxy manager and the record within the proxy manager should then be going to the printer.
printer.infra.domain.com -> proxy.infra.domain.com -> IP address
z0mb13r3dd1t@reddit (OP)
Yes, but one thing I'd like to mention is that this is for an internal domain. We have the domain registered, but no A record exists because it's only meant to be accessible internally. Based on your logic, would it be best for me to make a record on our internal DNS for the printer fqdn and then specify the IP/FQDN of the proxy manager? I did the cname record in our Cloudflare host, but i'm assuming it's resolving internally before trying to go to cloudflare.
Adam_Kearn@reddit
Yeah. This would need to be done all internally.
Just create a new zone within the DNS manager of one of your DCs
z0mb13r3dd1t@reddit (OP)
Do i need to make a new zone? What's the purpose of that? Just genuinely curious, not trying to throw shade.
z0mb13r3dd1t@reddit (OP)
Holy shit it's working! I just did a cname record on internal dns and it's functioning! Thanks for hashing this out and helping me double check my understanding.
Adam_Kearn@reddit
Nice. I’m glad you got it working in the end.
The best part of using Nginx Proxy Manager is you can now mange all your services and renew the SSL certs centrally.
Entire_Dependent8214@reddit
Eh..30 printers. Stop overthinking. Takes an hour ~ manually.