I use ZeroSSL certificates for a domain I own on my internal home network. I’m using acme.sh to get the certificates, with DNS authentication via CloudFlare as my form of authentication as these systems are all on my internal network and aren’t accessible from the Internet.

One of the more challenging systems to automate the certificate replacement with was a OfficeJet Pro 9014e inkjet printer, due to the following gotchas:

PKCS#12 Bundle

The printer expects a PKCS#12 bundle, so this can be generated using OpenSSL using the following command line:

openssl pkcs12 -export -out cert.pfx -inkey [PATH]/cert.key -in [PATH]/cert.cer  

This will prompt for a password, which we will supply when we upload the bundle. The gotcha here is that the printer will not accept the full certificate chain (normally called fullchain.cer) - it will only accept the server certificate.

Uploading

I came across curl command lines for uploading the generated certificates on Peter Hicks' Blog , however these were not working for me. This turned out to be due to me using the hostname in order to access the printer. The following command line worked fine when using the IP address to upload the certificate:

curl -v --insecure -u admin:ADMIN_PASSWORD "https://X.X.X.X/Security/DeviceCertificates/NewCertWithPassword/Upload?fixed_response=true" --form certificate=@"cert.pfx" --form password="PASSWORD"

• PASSWORD being the PKCS#12 password you created above
• ADMIN_PASSWORD being the PIN on the HP sticker on the printer