Onboard a HP printer to a Wi-Fi network with certificates

In this topic, you will learn how to onboard using certificates, a HP printer compatible with 802.1X, the self-onboarding portal, a Windows computer, the HP Smart application, and a Wi-Fi network managed by Portnox™ Cloud.

Before you begin, please note the following:

  • In this procedure, you use the Windows computer to configure the printer remotely, to get the certificate for the printer from the self-onboarding portal, and to add a password to the private key. You can also do these steps on a macOS system. However, to add a password to a private key on macOS, you will need to install and use third-party software such as OpenSSL.

  • If you want Portnox Cloud to generate a certificate for your printer through the self-onboarding portal, you must first create a user account that represents the printer in your integrated authentication repository or directly in Cloud. You must then be able to log in to the self-onboarding portal using that user account. After you complete the onboarding procedure, we recommend that you disable user logins for this account in your authentication repository or change the password if you use Cloud as your authentication repository. While we recommend creating individual accounts for each printer, you can also use a common user account for all printers or current user accounts.

  • We know that the following HP printer models are compatible with 802.1X Wi-Fi networks: HP LaserJet Pro 3001-3008, 4001-4004, MFP 3101-3108, 4101-4104. If your printer model is not one of these models, consult your documentation or contact your HP sales representative to find out if your HP printer is compatible with 802.1X. The HP Embedded Web Server currently does not support 802.1X for wired networks.

  • Update the firmware on your printer to the latest version. We have encountered problems with 802.1X connectivity caused by outdated firmware.

  • We assume that you use the HP Smart software to manage and configure your printer. If not, please download and install HP Smart from the Microsoft Store and make sure you can connect to your printer using this software before you add the new certificate. While you can also configure the printer using the HP Embedded Web Server and a browser, this will become difficult after you install the new certificate, because HP printers use the same certificate for 802.1X authentication and for browser authentication, and browsers may be unable to recognize the self-signed certificates generated by Cloud.

  • The HP Embedded Web Server also supports authentication with credentials. However, it only supports LEAP and PEAP EAP methods, which are not secure. Therefore, we do not recommend and we do not provide instructions on setting up HP printers with credential-based 802.1X. If you must use credentials, Portnox Cloud supports PEAP, but only with the latest HP firmware installed.

Download the root CA certificate from Portnox Cloud

In this section, you will download the Portnox™ Cloud root CA certificate from the Cloud portal.

HP Smart asks you to upload a root CA certificate when configuring 802.1X connections. This is necessary so that the printer can verify the validity of cloud RADIUS servers, which have certificates signed by this root CA certificate.

  1. In the Cloud portal top menu, click on the Settings option.

  2. In the Cloud portal left-hand side menu, click on the Services > CLEAR RADIUS SERVICE > CLEAR RADIUS instance option.

    The right-hand pane shows the list of active servers.

  3. Click on any of the active RADIUS services to show its configuration.
  4. Click on the Download root certificate link to download the root CA certificate.

    Save the file on your disk to use it later. The default name of the file is rootCertificate.cer.

Generate the user certificate for the printer

In this section, you will generate the certificate for the printer using the self-onboarding portal, and download it to your Windows computer.

Important: In the following steps, log in using the user account that you created for the printer, not your own user account.
  1. Enter the URL of the self-onboarding portal in your browser.

    To learn how to set up the self-onboarding portal and obtain the URL, see the following topic: Set up the self-onboarding portal.

  2. In Step 1, select the third option: CLEAR account certificate management and click on the Next button.

  3. In Step 2, you can select the Corporate email address option or the Corporate username and password option. Select the Corporate email address option if Portnox Cloud manages your user repository. Select the Corporate username and password option if you have integrated Cloud with an external repository. Proceed with the following steps depending on your choice.
  4. If you have chosen Corporate email address:
    Important: Only choose the Corporate email address option if Portnox Cloud manages your user repository. Cloud manages the user repository if it’s not integrated with any external repositories such as Microsoft Azure (Entra ID), Google Workspace, or Okta Workforce Identity.
    1. In the Email field, enter your corporate email address and click on the SIGN IN button.

      If you activate the Automatically generate secure password and send me by email checkbox, you will receive a separate email with a Portnox Cloud password. If so, you should use this password in the next steps.

    2. Open your email client and find the email received from Portnox Cloud containing a one-time activation code. Copy this code to the clipboard.

      If you activated the Automatically generate secure password and send me by email checkbox in the previous step, do not confuse the password email with the code email. They are two separate emails.

    3. In the self-onboarding portal, paste the code in the Activation code field and click on the CONFIRM button.

  5. If you have chosen Corporate username and password:
    1. Click on the tile that represents the authentication repository you want to use to sign in. If you want to use Okta Workforce Identity, enter your Okta login and password and click on the SIGN IN button.

      Note: Options depend on the repositories integrated with Portnox Cloud: Microsoft Azure (Entra ID), Google Workspace, and/or Okta Workforce Identity.
    2. Complete the steps needed to sign in. These steps depend on the chosen authentication repository.
  6. Click on the OBTAIN CERTIFICATE button to download the user certificate generated for your device.

    Note: If you want to replace a certificate you created earlier, for example, because the old one expires soon, click on the REISSUE CERTIFICATE button instead.

Result: You downloaded the certificate and the corresponding private key.

Add a password to the printer certificate’s private key

In this section, you will temporarily import the downloaded certificate and then export it again, adding a password to the private key.

By default, private keys generated by Portnox Cloud and included with certificates have empty passwords. However, HP Smart does not accept an empty password for the private key, so you need to add a password to the private key to use the certificate with your HP printer.

  1. Import the downloaded certificate.
    1. Double-click on the downloaded certificate file to temporarily install the certificate in your Windows certificate store.

      To export the private key from the certificate, you must first install it, marking the private key as exportable. You cannot export the private key directly from the downloaded certificate without installing it.

    2. In the first step of the Certificate Import Wizard, click on the Next button.

      In this step, you select the user certificate store by default. Note that you will delete the certificate after you add the password to the private key, so the selected certificate store is not important.

    3. In the second step of the Certificate Import Wizard, click on the Next button.

    4. In the third step of the Certificate Import Wizard, leave the Password field empty, activate the Mark this key as exportable checkbox, and then click on the Next button.

      You must leave the password field empty because private keys included with Portnox Cloud certificates by default have empty passwords.

    5. In the fourth step of the Certificate Import Wizard, click on the Next button.

    6. In the fifth and final step of the Certificate Import Wizard, click on the Finish button.

  2. Export the certificate and the private key, adding a password to the private key.
    1. Open the Windows Certificate Manager by typing manage user certificates in the Windows search bar and clicking on the Manage user certificates icon.

    2. In the certmgr window, go to the Personal > Certificates folder and double-click on the certificate that you just imported.

    3. In the Certificate window, go to the Details tab, and click on the Copy to File button.

    4. In the first step of the Certificate Export Wizard, click on the Next button.

    5. In the second step of the Certificate Export Wizard, select the Yes, export the private key option, and then click on the Next button.

    6. In the third step of the Certificate Export Wizard, click on the Next button.

    7. In the fourth step of the Certificate Export Wizard, activate the Password checkbox and enter a password in the Password and Confirm password fields. Then, click on the Next button.

      You will use this password later when configuring the device.

    8. In the fifth step of the Certificate Export Wizard, specify the file name to save the exported certificate and private key. Then, click on the Next button.

      You can replace the previously imported file. The .pfx and .p12 extensions represent the same file format.

    9. In the last step of the Certificate Export Wizard, click on the Finish button.

  3. Delete the temporarily imported certificate from your certificate store.
    1. Select the certificate in your certificate store.

    2. Press the Delete key on your keyboard to delete the certificate and then click on the Yes button in the confirmation window.

Result: You added a password to the private key of the downloaded certificate.

Configure the printer’s Wi-Fi connection

In this section, you will use HP Smart software to configure the printer for your Wi-Fi network managed by Portnox™ Cloud.

To be able to access the printer through HP Smart and configure the connection, you must first connect to the printer directly using Wi-Fi Direct, or connect the printer to a non-secured Wi-Fi or wired network. To connect to Wi-Fi Direct, go to Step one in the HP documentation for 802.1X connections. To connect to a non-secured Wi-Fi or wired network, follow the instructions in the printer manual or go to hpsmart.com/setup.

Note: This example is based on a HP LaserJet Pro 3002dw printer, which we connected to a secured Wi-Fi network with SSID VORLON.
  1. In the HP Smart user interface, click on the Printer Settings button.

  2. In the HP Smart left-hand side menu, click on the Advanced Settings option to open the Embedded Web Server in HP Smart.

  3. In the Embedded Web Server’s top menu, click on the Network option.

  4. Enter the PIN number for the printer and click on the Submit button.

    The PIN number is printed on a label inside the printer, in the cartridge access area.

  5. On the Network page, in the left-hand side menu, select Wireless (802.11) > Advanced.

  6. Configure the wireless network settings:
    1. In the Network Name > SSID field, enter the SSID of your network.

    2. In the Network Settings section, click on the WPA option, in the WPA Version field, select WPA2, and then click on the WPA-Enterprise option.

    3. In the Enable Protocols section, select the EAP-TLS option, and then click on the Configure button next to the Certificate Authority (CA) Certificate label.

    4. In the Install a Certificate Authority (CA) Certificate section, click on the Choose File button, select the root CA certificate file that you downloaded earlier from Portnox Cloud, and then click on the Finish button.

    5. Click on the Configure button next to the Printer Certificate label.

    6. In the Printer Certificate Options pane, select the Import a Certificate and Private Key option and click on the Next button.

    7. In the Import a Certificate and Private Key pane, click on the Choose File button, choose the certificate that you obtained from the self-onboarding portal (the file with the added private key password), in the Password field, enter the password you chose for the private key, and then click on the Finish button.

    8. Click on the Apply button to apply your changes and connect to the secured Wi-Fi network.

Result: The printer is connected to the Wi-Fi network managed by Portnox Cloud.