Generate a Certificate

You can use either SCEP or Active Directory Certificate Authority to generate certificates. Use the arguments from the table below. 

Argument

Description

Possible Values

--address

Address of the MFP (required)

 

--deviceuser

The account to use for authenticating into the device (required)

 

--devicepassword

The password of the account for authenticating into the device

 

--type

Specifies the mechanism to use for generating certificates (required)

scep, winca, selfsigned

--configstring

Required only for type “winca”. Specifies the Certificate Authority Configuration String for connecting to the Windows Certificate Authority that will issue the certificate.

 

--template

Required only for type “winca”. Specifies the Certificate Authority enrolment template use for generating a certificate.

 

--attributes

Optional attribute only applies for type "winca". Specifies additional attributes to be sent to the Active Directory Certificate Authority for generating the certificate.

For example, Subject Alternative Names could be added by specifying “SAN:” followed by the attribute value.

san:dns=dns.name[&dns=dns.name]

 

Multiple DNS names are separated by an ampersand (&).

For example, if the name of the MFP is mfp1.ricoh.com and the alias is copier1.ricoh.com, both names must be included in the SAN attributes. The resulting attribute string is displayed as follows:

san:dns=mfp1.ricoh.com&dns=copier1.ricoh.com

 

For multiple attributes, each attribute must be on a separate line. E.g.

AttributeName1:AttributeValue1

AttributeName2:AttributeValue2

 

The ability to set a SAN through additional attributes depends on EDITF_ATTRIBUTESSUBJECTALTNAME2. If this option is disabled on the Certificate Authority (CA), it will ignore the SAN attribute when creating the certificate. If enabled, SAN will be recognized by the CA as an additional attribute to be included in the certificate.

Enabling this option may expose your system to attackers. Please consult Microsoft documentation and weigh the risk before you enable this option.

 

To enable EDITF_ATTRIBUTESUBJECTALTNAME2 in your Certificate Authority, login to the Windows Certificate Authority Server as an Administrator and run the following command:

certutil -setreq policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

 

To check the current enabled settings, run the following command:

certutil -getreq policy

 

--scepurl

Required only for type “scep”. Specifies the URL to the SCEP server.

 

--scepcertvalidation

Used only for type “scep” when using SSL to communicate to the SCEP server (the URL starts with “https”). If set to true will only complete a connection to the SCEP server if the SSL certificate can be validated as a trusted certificate. Trusted Root Certificates are managed through the built-in Windows Certificate Management.

true, false (default: false)

--scepprivatekey

Required only for type “scep”. The private key certificate for communicating with SCEP server.

Must be a PKCS12 certificate

--sceppkpassword

Required only for type “scep”. The password for accessing the PKCS12 private key certificate.

 

--onlyssl

Allow only an SSL connection to the device.

  • If false: Certificate Management Tool will attempt to connect using SSL and if a connection cannot be made, it will attempt a non-SSL connection. Certificate Management Tool will not validate certificates when communicating via SSL.

  • If true: Certificate Management Tool will only attempt to connect using SSL. To connect to a device, it must already have been configured with a certificate for SSL communications.

true, false (default: false)

--certvalidation

Used only when “onlyssl” is set to true. If “certvalidation” is also set to true, a connection to the device will only be established if the SSL certificate can be validated as a trusted certificate. Trusted Root Certificates are managed through the built-in Windows Certificate Management.

true, false (default: false)

--cn

The common name used for the certificate signing request (required)

 

--org

The organization used for the certificate signing request (required)

 

--ou

The organizational unit used for the certificate signing request (required)

 

--email

The email address used for the certificate signing request (required)

 

--city

The city/locality used for the certificate signing request (required)

 

--state

The state/province used for the certificate signing request (required)

 

--country

The country used for the certificate signing request (required)

 

--alg

The algorithm signature used for the certificate signing request (required)

sha1WithRSA-1024, sha1WithRSA-2048, sha256WithRSA-2048, sha256WithRSA-4096,

sha512WithRSA-2048, sha512WithRSA-4096

--certnumber

The MFP certificate location (required)

1-6

 

Sample Output – Success (SCEP/WINCA)

Downloading server certificate information

Starting device session

Locking device

Creating CSR

Creating certificate

Installing certificate

Unlocking device

Ending device session

 

Sample Output – Success (SelfSigned)

Starting device session

Locking device

Creating SelfSigned Certificate

Unlocking device

Ending device session

 

Sample Output – Error (Bad device password)

Starting device session

Start Session on device failed. Error code: 4, Message: An error occurred communicating with the device