Skip to content

Choose your language

  • No results

Choose your login

  • No results
Support

How can we help?

PaperCut's AI-generated content is continually improving, but it may still contain errors. Please verify as needed.

Lightbulb icon
Lightbulb icon

Here’s your answer

Sources:

* PaperCut is constantly working to improve the accuracy and quality of our AI-generated content. However, there may still be errors or inaccuracies, we appreciate your understanding and encourage verification when needed.

Lightbulb icon

Oops!

We currently don’t have an answer for this and our teams are working on resolving the issue. If you still need help,
User reading a resource

Popular resources

Help center

FAQs
Conversation bubbles

Contact us

Renewing Your SSL Certificate on macOS with Let’s Encrypt

THE PAGE APPLIES TO:

PaperCut NG product logo PaperCut MF product logo PaperCut Pocke PaperCut Hive

Last updated February 22, 2026

Help! You’re a Systems Admin trying to renew or install a shiny new SSL certificate for your PaperCut NG or MF server on macOS-and you want it to just work. We get it.

SSL certificates are vital for secure communications between your PaperCut server and its clients. They keep sensitive info like usernames and print job data safe from prying eyes. And with Let’s Encrypt, you can get a free certificate that’s browser-trusted and ready to roll.

This step-by-step guide walks you through:

  1. Creating a full-chain certificate
  2. Importing it into PaperCut’s keystore
  3. Restarting PaperCut
  4. Checking it all worked

1. Get the required files and build the full-chain bundle

You’ll need:

  • 0001_cert.pem — your leaf certificate
  • 0002_chain.pem — the intermediate CA cert(s)

To build the full-chain bundle:

Open a terminal on your macOS.

cat 0001_cert.pem \
0002_chain.pem \
> trisco.uk-fullchain.crt

Order matters: always put the leaf cert first, followed by intermediates (closest to the leaf first). This keeps the TLS handshake happy.

2. Stop PaperCut and back up the Keystore

Before making any changes, let’s play it safe:

sudo launchctl unload
/Library/LaunchDaemons/papercut.plist

sudo cp /Applications/PaperCut\ MF/server/server.keystore \ /Applications/PaperCut\

MF/server/server.keystore.bak

3. Build the full-chain file

If you already have a full-chain cert—skip ahead! Otherwise, concatenate like this:

cat ~/ssl/trisco.uk/trisco.uk.crt \

~/ssl/trisco.uk/trisco.uk.chain.crt \

> ~/ssl/trisco.uk/trisco.uk-fullchain.crt

4. Import the full-chain certificate

Now, let’s drop that certificate into the PaperCut keystore using keytool:

sudo /Applications/PaperCut\ MF/runtime/mac/jre/Contents/Home/jre/bin/keytool
\-importcert \
-alias jetty \
-file ~/ssl/trisco.uk/trisco.uk-fullchain.crt \
-trustcacerts \
-keystore "/Applications/PaperCut MF/server/server.keystore" \
-storepass changeit

5. Restart PaperCut

Bring PaperCut back to life:

# Stop the server (if it's still running)
sudo launchctl unload
/Library/LaunchDaemons/papercut.plist
#  Start the server
sudo launchctl load /Library/LaunchDaemons/papercut.plist

6. Verify it worked

  1. Check the certificate’s expiration date:

    openssl x509 -in ~/ssl/trisco.uk/trisco.uk.crt
-noout -dates

  2. Then in your browser head to:

    https://<your-host>:9192

  3. Click the 🔒 lock icon and make sure your new cert is showing up loud and proud!

That’s it! Your PaperCut MF/NG server is now running with a shiny new Let’s Encrypt certificate on macOS.

A special note to number of PaperCut Admin’s that have helped improve this article, including Jon R and others.

 

Category: How-to Articles

Subcategory: Security and Privacy

Comments