(for Webservices)
Introduction
This information describes the certificate requirements and configuration for a Tomcat based implementation of a Websocket server as it relates to the Zebra MultiPlatform SDK. The implementation allows Zebra Print DNA printers running Link-OS® to connect securely and communicate using the Link-OS Multiplatform SDK.
You will need an SSL certificate in order to establish communications between your
Websocket server and a Print DNA printer. Although you may request and obtain a signed certificate from Zebra, we strongly recommend either creating and using your own self-signed certificates or obtaining them from a Publicly Trusted Certificate Authority. That provides you with greater flexibility and control of the certificates and ongoing management of them. As Zebra is not a trusted certificate authority, there's no advantage to obtaining a Zebra signed certificate.
The following
sections describe the requirements and steps needed to create your own
certificates or obtain one from Zebra.
API documentation for the SDK Weblink support is included in the Java API documentation.
More information regarding the Weblink/Websocket protocol can be found in the Weblink guide. Printer specific information and troubleshooting can be found in the Link-OS addendum.
Certificate Requirement Overview
This information supercedes what's included in the v2.14.5198 SDK due to changes in our certificate signing process and the ability to use self-signed or publicly trusted CA signed certificates.
Prior to Link-OS version 4, our printers only contained an embedded SHA-1 certificate for weblink connections. Through our firmware release notes, Zebra has given advanced notice that SHA-1 support will be removed in a future version of the printer Link-OS operating system. This step is being taken to enhance product security. SHA-1 is still supported in Link-OS v6.x but is intended to be removed in Link-OS v7.0 and beyond.
If you have an existing application using a Zebra signed SHA-1 certificate for weblink connections, you may consider the need to transition to SHA-256 in the future.
Link-OS version 5 and later contain a SHA-256 embedded certificate and Zebra may now only issue SHA-256 signed certificates in accordance with our recommended security best practices.
Alternatively, you have the option not to use a Zebra signed certificate but to supply and use your own certificates which requires a certificate chain to be loaded onto every printer that needs to connect to your server. Security and certificate information related to Zebra printers can be found in our PrintSecure Administration Guide available here. This support article contains the instructions to create your own self-signed certificates.
Please note the following important information if you wish to use Zebra signed SHA-256 certificates:
- The time to sign and return certificate requests may take 7 – 10 days.
- Zebra SHA-256 signed certificates have a 3 year expiration period and will need to be renewed prior to the expiration date.
Note: Zebra does not provide a notification service of certificate expiry.
- Where certificates are required for development and test, the common name maybe a computer hostname or static IP address. Since Zebra cannot verify domain ownership in this case, the certificate expiration period shall be shorter.
- All printers will require Link-OS 5 or later (available here) in order to successfully connect using this certificate.
- A new CA chain is required in combination with the SHA-256 signed certificate. If you have previously installed the ZebraCAChain.cer file, you will need to remove it and install the new CA chain provided with the signed certificate.
In addition, certificate requests need to conform to these requirements:
- The domain
for the common name field of the certificate to be signed
shall be either :
- a specific non-wildcard subdomain (acceptable example: something.mydomain.com)
- a wildcard that must contain a 'z' or 'zebra' or 'zserver' subdomain.
Acceptable Examples | Unacceptable Examples |
---|---|
*.z.mydomain.com | *.mydomain.com |
*.z.subdomain.mydomain.com | *.subdomain.mydomain.com |
*.zebra.mydomain.com | |
*.zebra.subdomain.mydomain.com | |
*.zserver.mydomain.com | |
*.zserver.subdomain.mydomain.com |
- a computer hostname or static IP address (for development and test only which will have a shorter expiration period).
-
The CSR must
contain all the fields listed
here with the addition of the email field.
- It must include the correct 2-character ISO format country code detailed in the link above.
- Shall not use a SHA1 signature algorithm.
-
Proof of
domain ownership by either of the following methods:
- Sending the CSR to Zebra in an email where the email domain matches the domain in the CSR.
- A Domain Control Validation challenge. Upload an HTML page with content we specify to a folder on the website for the common name you're using.
Note: This is not a requirement for certificates used for development & test as noted above. This online toolNote: The passkey should be something easy to remember but should not be distributed to anyone. Note: The default password for the Java cacert keystore is: changeit