Onboard a HP printer to a Wi-Fi network with certificates
In this topic, you will learn how to onboard using certificates, a HP printer compatible with 802.1X, the self-onboarding portal, a Windows computer, the HP Smart application, and a Wi-Fi network managed by Portnox™ Cloud.
Before you begin, please note the following:
-
In this procedure, you use the Windows computer to configure the printer remotely, to get the certificate for the printer from the self-onboarding portal, and to add a password to the private key. You can also do these steps on a macOS system. However, to add a password to a private key on macOS, you will need to install and use third-party software such as OpenSSL.
-
If you want Portnox Cloud to generate a certificate for your printer through the self-onboarding portal, you must first create a user account that represents the printer in your integrated authentication repository or directly in Cloud. You must then be able to log in to the self-onboarding portal using that user account. After you complete the onboarding procedure, we recommend that you disable user logins for this account in your authentication repository or change the password if you use Cloud as your authentication repository. While we recommend creating individual accounts for each printer, you can also use a common user account for all printers or current user accounts.
-
We know that the following HP printer models are compatible with 802.1X Wi-Fi networks: HP LaserJet Pro 3001-3008, 4001-4004, MFP 3101-3108, 4101-4104. If your printer model is not one of these models, consult your documentation or contact your HP sales representative to find out if your HP printer is compatible with 802.1X. The HP Embedded Web Server currently does not support 802.1X for wired networks.
-
Update the firmware on your printer to the latest version. We have encountered problems with 802.1X connectivity caused by outdated firmware.
-
We assume that you use the HP Smart software to manage and configure your printer. If not, please download and install HP Smart from the Microsoft Store and make sure you can connect to your printer using this software before you add the new certificate. While you can also configure the printer using the HP Embedded Web Server and a browser, this will become difficult after you install the new certificate, because HP printers use the same certificate for 802.1X authentication and for browser authentication, and browsers may be unable to recognize the self-signed certificates generated by Cloud.
-
The HP Embedded Web Server also supports authentication with credentials. However, it only supports LEAP and PEAP EAP methods, which are not secure. Therefore, we do not recommend and we do not provide instructions on setting up HP printers with credential-based 802.1X. If you must use credentials, Portnox Cloud supports PEAP, but only with the latest HP firmware installed.
Download the root CA certificate from Portnox Cloud
In this section, you will download the Portnox™ Cloud root CA certificate from the Cloud portal.
HP Smart asks you to upload a root CA certificate when configuring 802.1X connections. This is necessary so that the printer can verify the validity of cloud RADIUS servers, which have certificates signed by this root CA certificate.
-
In the Cloud portal top menu, click on the Settings option.
-
In the Cloud portal left-hand side menu, click on the
option.
The right-hand pane shows the list of active servers.
- Click on any of the active RADIUS services to show its configuration.
-
Click on the Download root certificate link to download the root CA certificate.
Save the file on your disk to use it later. The default name of the file is rootCertificate.cer.
Generate the user certificate for the printer
In this section, you will generate the certificate for the printer using the self-onboarding portal, and download it to your Windows computer.
-
Enter the URL of the self-onboarding portal in your browser.
To learn how to set up the self-onboarding portal and obtain the URL, see the following topic: Set up the self-onboarding portal.
-
In Step 1, select the third option: CLEAR account certificate management
and click on the Next button.
- In Step 2, you can select the Corporate email address option or the Corporate username and password option. Select the Corporate email address option if Portnox Cloud manages your user repository. Select the Corporate username and password option if you have integrated Cloud with an external repository. Proceed with the following steps depending on your choice.
-
If you have chosen Corporate email address:
Important: Only choose the Corporate email address option if Portnox Cloud manages your user repository. Cloud manages the user repository if it’s not integrated with any external repositories such as Microsoft Azure (Entra ID), Google Workspace, or Okta Workforce Identity.
-
If you have chosen Corporate username and password:
-
Click on the OBTAIN CERTIFICATE button to download the user certificate generated for your
device.
Note: If you want to replace a certificate you created earlier, for example, because the old one expires soon, click on the REISSUE CERTIFICATE button instead.
Result: You downloaded the certificate and the corresponding private key.
Add a password to the printer certificate’s private key
In this section, you will temporarily import the downloaded certificate and then export it again, adding a password to the private key.
By default, private keys generated by Portnox Cloud and included with certificates have empty passwords. However, HP Smart does not accept an empty password for the private key, so you need to add a password to the private key to use the certificate with your HP printer.
-
Import the downloaded certificate.
-
Export the certificate and the private key, adding a password to the private key.
-
Delete the temporarily imported certificate from your certificate store.
Result: You added a password to the private key of the downloaded certificate.
Configure the printer’s Wi-Fi connection
In this section, you will use HP Smart software to configure the printer for your Wi-Fi network managed by Portnox™ Cloud.
To be able to access the printer through HP Smart and configure the connection, you must first connect to the printer directly using Wi-Fi Direct, or connect the printer to a non-secured Wi-Fi or wired network. To connect to Wi-Fi Direct, go to Step one in the HP documentation for 802.1X connections. To connect to a non-secured Wi-Fi or wired network, follow the instructions in the printer manual or go to hpsmart.com/setup.
-
In the HP Smart user interface, click on the Printer Settings button.
-
In the HP Smart left-hand side menu, click on the Advanced Settings option to open the
Embedded Web Server in HP Smart.
-
In the Embedded Web Server’s top menu, click on the Network option.
-
Enter the PIN number for the printer and click on the Submit button.
The PIN number is printed on a label inside the printer, in the cartridge access area.
-
On the Network page, in the left-hand side menu, select .
-
Configure the wireless network settings:
Result: The printer is connected to the Wi-Fi network managed by Portnox Cloud.