CUPS supports TLS encryption in two ways:
CUPS supports self-signed, CA-signed, and enterprise certificates, with configurable certificate validation, cipher suite, and SSL/TLS version policies.
Out of the box, CUPS uses a Trust On First Use ("TOFU") certificate validation policy like the popular Secure Shell (ssh) software, requires TLS/1.0 or higher, only allows secure cipher suites, and automatically creates a "self-signed" certificate and private key for the scheduler so that remote administration operations and printer sharing are encrypted by default.
The client.conf file controls the client TLS policies. The default policy is:
AllowAnyRoot Yes AllowExpiredCerts No Encryption IfRequested SSLOptions None TrustOnFirstUse Yes ValidateCerts No
A client can be configured to only communicate with trusted TLS/1.1+ servers and printers by copying the corresponding certificates to the client (see below) and using the following policy in the client.conf file or macOS® printing preferences:
AllowAnyRoot No AllowExpiredCerts No Encryption Required SSLOptions DenyTLS1.0 TrustOnFirstUse No ValidateCerts Yes
Similarly, if a client needs to support an older server that only supports SSL/3.0 and RC4 cipher suites you can use the following policy option:
SSLOptions AllowRC4 AllowSSL3
Two directives in the cups-files.conf file control the server (scheduler) TLS policies - CreateSelfSignedCerts and ServerKeychain. The default policy creates self-signed certificates as needed.
The DefaultEncryption and Encryption directives in the cupsd.conf file control whether encryption is used. The default configuration requires encryption for remote access whenever authentication is required.
On macOS, client configuration settings for ordinary users are stored in the ~/Library/Preferences/org.cups.PrintingPrefs.plist file. System-wide and user certificates are stored in the system and login keychains, with private CUPS keychains being used for self-signed and CUPS-managed certificates.
On Windows, client configuration settings are controlled by the SSL/TLS Group Policy settings and certificate stores.
Other platforms only use the client.conf file and PEM-encoded certificates (hostname.crt) and private keys (hostname.key) in the /etc/cups/ssl and ~/.cups/ssl directories. If present, the /etc/cups/ssl/site.crt file defines a site-wide CA certificate that is used to validate server and printer certificates. Certificates for known servers and printers are stored by CUPS in the corresponding ssl directory so they can be validated for subsequent connections.
CUPS also supports certificates created and managed by the popular Let's Encrypt certificate service, which are stored in the /etc/letsencrypt/live directory.