Cloud Print certificate testing

3. Test if your cloud-ready printers work with Cloud Print

The certificates that your printer uses to communicate with Cloud Print may expire in August of 2018. In the coming months, Cloud Print servers will migrate to using new certificates. We have given advanced notice about this change, and it’s imperative that you update the firmware for your cloud-ready printers before this change, or else your printers may stop working with Cloud Print.

This article instructs you how to test whether your cloud-ready printer works with these new certificates. These instructions are a best-effort and may vary depending on your printer. 

Testing Schedule

We have a small number of test servers serving the new certificate that we have created for you  to test whether your printers work with the new certificate. Because of the nature of the testing servers, they will only be up for certain specified periods in which you can run tests. The following are the dates and times that you can carry out testing (note that this list will be regularly updated to reflect changes and updates):

  • 20 Nov 2017 to 25 Jan 2018
  • 4 Feb 2018 to 31 Mar 2018

Testing Guidelines

During the time that these test servers are configured with GlobalSign R2-rooted certificates, it’s possible to override DNS resolution in order to test potentially affected equipment.

Note that, by overriding these DNS resolutions, you will be dependent on a single cluster until you undo the override. This choice will reduce availability of services, as single clusters can fail unexpectedly.

‘A’ records for all of the following names should be replaced with 74.125.206.91.

  • google.com
  • www.google.com
  • accounts.google.com

‘A’ records for all of the following names should be replaced with 74.125.206.125.

  • xmpp.google.com
  • talk.google.com
  • xmpp.l.google.com
  • alt1.xmpp.l.google.com
  • alt2.xmpp.l.google.com
  • alt3.xmpp.l.google.com
  • alt4.xmpp.l.google.com

CNAME records for these names potentially have a multi-hour TTL, so devices under test should be power cycled once the DNS overrides are in place to flush caches.

You can test which set of certificates are currently serving in that cluster by running (on MacOS or a UNIX-like system such as Linux):

openssl s_client -connect 74.125.206.91:443 </dev/null 2>>/dev/null | grep issuer

This command will show a single result line such as:

issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2

In that line, the string “Google Internet Authority” will be followed by either “G2” or “G3”. G2 (as shown above) are Equifax-rooted chains (the old certificates) while G3 are GlobalSign R2-rooted chains (the new certificates).

After running test

Important: After you complete your tests, reinstate your prior DNS configuration. This step is important because you do not want traffic from your organization for google.com search and related services to be routed over this test server after the Cloud Print certificate testing is completed.

 

MIGRATION GUIDE

 

This article was last updated on December 11, 2017

Was this article helpful?
How can we improve it?