Skip to main content

Ricoh PCC5.1 Unified Client : How to renew the Device Control Engine (DCE) certificate without having to re-configure the device

How to resolve the issue of DCE certificates expiring without having to reconfigure Ricoh PCC5 equipped devices
Article # 3030708 - Page views: 1259

How to resolve the issue of DCE certificates expiring without having to reconfigure Ricoh PCC5 equipped devices


How to renew the DCE certificate without having to re-configure the MFD?

When the DCE certificate is renewed PCC5.1 stays in Offline Mode until uninstall/full installl actions

Because of the DCE pinning, PCC5 will download the DCE certificate (public key) the first time it connects. Whenever the certificate on the DCE changes (because, for example, it is expired and renewed), the new key and cached key do not matchup and PCC 5.1 will go in an offline state. Unfortunately, when this happens all devices using PCC 5.1 connected to the DCE go offline.

Affected Models: PCC 5.1 (Kofax Unified Client UC v1.30.213.or higher).Solution:


The pre-requisite for this is that the existing certificate must not have expired as a new one will be created if DCE is restarted in this case. 

To get around this problem follow the steps to replace the expired certificate with a new one containing the same public key, this stops the device from requiring the workarounds to continue to work.

  1. Copy the openssl.cnf file to the Program Files\Equitrac\Office(Express)\Tools folder
  2. In the tools folder Open EQSSLCertificateManager.exe (using service account credentials) and export the existing certificate.


You will be asked for an export password and where to save the pfx certificate.


  1. Run a command prompt as an administrator and execute the following commands (5 lines):
  • pushd “c:\Program Files\Equitrac\<Office/Express>\Tools”
  • set openssl_conf=c:\Program Files\Equitrac\<Office/Express>\tools\openssl.cnf
  • openssl pkcs12 -in "<path and filename of the downloaded pfx file>" -nocerts -nodes -out "%TEMP%\new-certificate.key"
  • openssl req -new -key "%TEMP%\new-certificate.key" -x509 -days 3650 -out "%TEMP%\new-certificate.crt" -subj "/CN=<FQDN of the DCE>"
  • openssl pkcs12 -export -out "<path and filename of the new pfx file>" -inkey "%TEMP%\new-certificate.key" -in "%TEMP%\new-certificate.crt"


Replace <Office/Express> with the actual product installed

Replace <FQDN of the DCE> with the Fully Qualified domain name of the DCE server. The FQDN of the DCE must match the existing certificate, including case. For example, if the server name is and you enter wat-un-001.domain com the import will not work correctly.

For a longer or shorter expiration date change the number of days from 3650 (ten years) to another value.
The / in front of the CN= is no typo and needs to be there!
When the file defined in the openssl_conf variable is not found, creating the new certificate will fail.
In both the extraction of the private key and creation of the new certificate a password is asked. Please insert the password entered during extraction of the certificates.

  1. Import the new certificate using EQSSLCertificateManager.exe


The old certificate is replaced by a new one having an expiration time of 10 years (and the same public key).


  1. Restart DCE and test connectivity

Applies to:  


Product Version
Ricoh PCC 5.1
Unified Client for Ricoh 1.1