Skip to main content
Skip table of contents


The Certificates tab allows you to import or create valid SSL certificates for a Vendor or Customer account, for use in the various interfaces, including SAFEQ Cloud Web UI, APIs, IPP print, and embedded terminal communications.

Trusted valid SSL certificates are required for HTTPS/IPPS printing from SAFEQ Cloud Client.

Trusted CA certificates

If the vendor or customer account are their own Certificate Authority (CA) and issue certificates for domain controllers, mail servers etc, those CA certificates can be imported to SAFEQ Cloud for LDAPS and similar.

Export the certificates from the remote server to PEM or DER format, and click Import to import the trusted certificate.

Private certificate chains

To enable valid trusted SSL connections from SAFEQ Cloud Client to the SAFEQ Cloud server, either the SAFEQ Cloud Web UI in a Web browser, API connections, IPP printing, or in embedded terminals, import a valid SSL certificate chain in PFX or PKCS12 format.

These formats include both public and private keys required for a server to create the encrypted connection. Certificates without the private key would be ignored during import.

When importing Private certificate chains, both the key pair and the keystore file has to be password protected with the same password.

Generating certificate chains

Instead of importing a trusted certificate chain, you can generate it using the default SAFEQ Cloud CA certificate as an issuer. Certificates can be generated for two purposes: TLS server security and token signing. When generating a TLS certificate, select in the drop-down list the domain name to which this chain will be generated. Embedded clients will then be able to connect to this domain name without warning.

For TLS security, creating a self-signed certificate chain is not recommended and should only be used for test purposes. For proper transport layer protection, a trusted certificate chain created by a trusted certificate authority must be imported.

Generating a certificate chain for token signing

Some external clients require an authorization token when calling SAFEQ Cloud public API functions. The token is only issued when there is a signing certificate chosen in the account's PKI settings. By default, each newly created account has a special signing certificate chain created which is also set as a default signing certificate in the PKI settings. It is possible to re-generate it manually or choose another certificate (e.g., import a trusted chain) for signing purposes.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.