Set up an SSL certificate on an HP printer with Let's Encrypt

June 9, 2026

I hate legacy systems

This guide was tested on the HP DeskJet 3637. Your mileage may vary depending on how outdated the built-in web server on your specific printer model is. For reference, the latest firmware on the 3637 as of writing this blog post has the version string SWP2FN2223AR and was built on May 30th, 2022.

  1. Set a static IP address for your printer if you haven’t done so already. (This also resolves some headaches where your printer suddenly stops working after the DHCP lease expires and you have to reinstall the driver 6-7 times and make a blood sacrifice)
  2. Set up an A record in your DNS that points to your printer’s static IP address (something like print.example.com -> 192.168.0.150)
  3. Run certbot: 
    certbot certonly -v --manual --preferred-challenges dns -d print.example.com --key-type rsa
    The --key-type rsa flag is important. The newer, recommended key type is EC, but the shitty HP printer doesn’t recognize it because of course it doesn’t (grr HP)
  4. Follow the prompts to go through the DNS challenge
  5. Once you have the individual certificate files, note down the paths where certbot generated them. We need to bundle them into a PKCS#12 bundle. Use openssl: 
    openssl pkcs12 -export -out printer.pfx -inkey privkey.pem -in cert.pem
    You’ll be prompted for an export password. Just type a temporary one. You’ll need it in a bit.
  6. Browse to your printer’s IP (or domain), and go to “Network > Advanced Settings > Certificates”
  7. Click on “Configure”, then “Import a Certificate and Private Key”
  8. Upload the printer.pfx file you generated in step 5, type in the temporary password you chose, and leave “Mark private key as exportable” unchecked.
  9. Click “Finish” to save.

Now to rinse and repeat every 3 months.

Of course, this entire thing could be built into the webUI, but at that point, is the printer made by HP with how user-friendly it is?

Some more notes because I forgot to write them in the first draft:

  • Q: Ew, HP?

    A: It was $10 on Facebook Marketplace. The ink cartridges cost more.

  • Q: Why not use the “Certificate Request” option on the HP webUI?

    A: Because it generates public keys with the exponent set to 3, and no self-respecting CA in this day and age would ever accept it. Please don’t ask me how I suffered through this.