Asymmetric Key Pair Configuration

Last Updated: April 07, 2026

By default with Off-Network Print (ONP), the Client or app generates a symmetric key to encrypt the print job before sending it through the Transport Layer Security (TLS) tunnel to the gateway and the Internal Routing Service (IRS). The request header includes the symmetric key, which the IRS uses to decrypt the print job.

A public-private key pair adds an extra layer of encryption. In this process Virtual Appliance generates the symmetric key and encrypts both the job and the key using the public key. At the IRS the private key decrypts the symmetric key, which is then used to decrypt the print job.

The steps below guide you through the configuration and application of a public-private key pair.

Requirements

Review the following requirements:

  • Configure ONP. For more details refer to Off-Network Print (ONP): Customer-Hosted Gateway.
  • Have at least one Service Client running the IRS.
  • Have an asymmetric public-private key pair.
    • Supported key pairs include 4096 bit Rivest-Shamir-Adleman (RSA) with Public Key Cryptography Standards (PKCS) #8.

Process Overview

You perform these high-level procedures:

  1. Turn On the Key Pair.
  2. Add the Key Pair to the IRS.

1. Turn On the Key Pair

Follow these steps:

  1. In the Admin Console, go to Tools then Settings then General, and scroll down to the Off-Network Printing section.
  2. Select the checkbox for Use customer provided public/private keypair for print job encryption.
  3. Select Save.

Admin Console showing General settings and Off-Network Printing section.

2. Add the Key Pair to the IRS

Follow these steps:

  1. Place the private key on the IRS Service Client device's local file system.
  2. Note the file path.
  3. Go to the IRS Service Client object in the Admin Console tree structure.
  4. Select the Internal Routing tab.
  5. Copy the public key body, and paste it in the Public Key Body field.
  6. Enter the path to the private key in the Path to Private Key field.
  7. Select Save.

Admin Console showing Public Key Body and "Path to Private Key" fields.

When ONP uses this Service Client, it now applies the new encryption method. Repeat the steps on any other Service Clients on which you want to apply additional encryption.