Invite a Co-worker
Send a co-worker an invite to the Exchange portal.Just enter their email address and we’ll connect them to register. After joining, they will belong to the same company.
Send Invite Cancel
74038members
331632posts

Uploading Private SSL Certificates

Solved
cdaniels_apc
Ensign
Ensign
0 Likes
100
1992

Uploading Private SSL Certificates

This was originally posted on APC forums on 7/6/2020


For years now, many individuals have been asking to upload their private Secure Sockets Layer (SSL) Certificates to their Network Management Cards (NMC):

Some of these forums are older than a decade of individuals asking how to upload their private SSL certificates. After around of month of talking to support staff and researching the topic, there does not seem to be any resolution to this issue. In my last support case, Jeff Bill said that he would pass my case to the (Presumably Software) Engineers for review. I am creating this thread to show that this change will benefit not only myself but also others that use the Schneider Eclectic array of products. Please reply with why you would be in support of this change.

My Why:
Uploading a private SSL to our MNC's will allow for a more cohesive Information Technology (IT) environment. The change will eliminate the annoying security warning that appears when attempting to log into the NMC's and strengthen a security posture within a given IT environment. Because of the versatility of modern SSL certificates (Ex. a Wildcard certificate that covers numerous sub-domains), there is no reason that the NMC should be locked down in this modern era.

My question is, when should we expect to see this change be implemented?


Accepted Solutions
ScottBUK_apc
Ensign
Ensign
0 Likes
0
1992

Re: Uploading Private SSL Certificates

This was originally posted on APC forums on 8/5/2020


Hi Gavan,

That (older) version of NMCSecurityWizardCLI works. You might want to make that more easily accessible!

A note regarding the configuration of the certificates that someone else will hopefully find useful one day - I set keyUsage to keyEncipherment and digitalSignature. Enabling keyAgreement and/or nonRepudiation caused the PDU to get stuck 'Loading certificate...'

Also make sure you have a subjectKeyIdentifier.

Regards,

Scott

See Answer In Context

tonyc_apc
Ensign
Ensign
0 Likes
0
4755

Re: Uploading Private SSL Certificates

This was originally posted on APC forums on 3/1/2021


Hi Gavan,

     I am having the same issue.  I have used the NMC utility to generate a CSR and p15 key, then signed the cert with our CA, then used the NMC utility to import the cert and p15 key file and create a p15 cert file.  When I run this I get the following error:

Unhandled Exception: cryptlib.CryptException: -3: Bad argument, parameter 3
at NMCSecurityWizardCLI.Program.ImportSignedCSR(String sCertFile, String sKeyFile, String sOutFile)
at NMCSecurityWizardCLI.Program.Main(String[] args)

Can you tell me what is going wrong here?

Thank you for any help,

Tony

See Answer In Context

100 Replies 100
BillP
Picard Picard
Picard
0 Likes
0
1986

Re: Uploading Private SSL Certificates

This reply was originally posted by Gavan on APC forums on 7/8/2020


Hi Cody,

There is a feature request to change the way SSL certificates are handled by the NMC but no clear time frame on its implementation. In the mean time I'd be happy to help you with your issue.

Do you already have a support ticket open, if so can you provide me the case number?

-Gavan

cdaniels_apc
Ensign
Ensign
0 Likes
0
1986

Re: Uploading Private SSL Certificates

This was originally posted on APC forums on 7/8/2020


My current issue is that I would like to use an already signed wildcard certificate for our NMC's. What is the next step to proceed? I already tried using the Security Wizard CLI to no avail.

BillP
Picard Picard
Picard
0 Likes
0
1986

Re: Uploading Private SSL Certificates

This reply was originally posted by Gavan on APC forums on 7/9/2020


Hi Cody,

Sorry at present this is not possible, neither pre-signed certificates nor wildcard certificates are supported, you can only use certs that have been created by the security wizard.

The process is you create a CSR and private key with the security wizard, sign the CSR with your internal or corporate CA and finally combine the signed request with the private key using the security wizard.

If you require any help with this process, please let me know.

-Gavan 

cdaniels_apc
Ensign
Ensign
0 Likes
0
1986

Re: Uploading Private SSL Certificates

This was originally posted on APC forums on 7/9/2020


Is there a way us consumers can see the progress on when that feature will be implemented? Its been a topic of conversation for some time as indicated by some of the posts.

BillP
Picard Picard
Picard
0 Likes
0
1986

Re: Uploading Private SSL Certificates

This reply was originally posted by Gavan on APC forums on 7/10/2020


Unfortunately not, even with the request submitted there is no guarantee that it will be accepted and no time-frames are provided. Also this would not be a very high priority request that would require a huge rework in the SSL system. 

  

cdaniels_apc
Ensign
Ensign
0 Likes
0
1986

Re: Uploading Private SSL Certificates

This was originally posted on APC forums on 7/13/2020


How long has the request been submitted for? Are there any Service-Level Agreements (SLA) established for support requests and if so, what are those?

cdaniels_apc
Ensign
Ensign
0 Likes
0
1986

Re: Uploading Private SSL Certificates

This was originally posted on APC forums on 7/16/2020


Hey Gavan,

Just wondering if you have any update on the SLA requirements on the software development team?

BillP
Picard Picard
Picard
0 Likes
0
1986

Re: Uploading Private SSL Certificates

This reply was originally posted by Gavan on APC forums on 7/17/2020


Hi Cody,

There is no SLA, this is an enchantment request not a support request and not a high priority one as there is currently a way to add certificates to an NMC2.

As I've said previously if you'd like to learn how to use our current tools I'd be happy to help.

-Gavan 

cdaniels_apc
Ensign
Ensign
0 Likes
0
1986

Re: Uploading Private SSL Certificates

This was originally posted on APC forums on 7/17/2020


Thank you for the offer Gavan, but I have already used the Security Wizard SLI to create a self-signed certificate for our devices. My main goal is to get rid of the annoying security warning when attempting to connect to Network Management Cards (NMC), which could be done with the certificates we purchased.

cdaniels_apc
Ensign
Ensign
0 Likes
0
1986

Re: Uploading Private SSL Certificates

This was originally posted on APC forums on 7/23/2020


Gavan,

Does the Network Management Card 3 (NMC 3) have the ability to upload private SSL certificates?

BillP
Picard Picard
Picard
0 Likes
0
1986

Re: Uploading Private SSL Certificates

This reply was originally posted by Gavan on APC forums on 7/24/2020


The NMC3 uses the same process as the NMC1 and NMC2.

Have you considered deploying an internal CA, here's a great guide on how to do it with Windows Server: https://www.starwindsoftware.com/blog/using-the-microsoft-certificate-authority-to-get-rid-of-those-...

There is similar guides to do it with Linux and OpenSSL.

-Gavan

ScottBUK_apc
Ensign
Ensign
0 Likes
0
1986

Re: Uploading Private SSL Certificates

This was originally posted on APC forums on 7/31/2020


I'm also having a problem uploading SSL certificates to my Rack PDUs. It's an essential requirement for me; we aren't permitted to have self-signed certificates in our infrastructure. We also don't really want to use a wildcard certificate or public CA.

I've tried two different ways:

  • Generate CSR using NMCSecurityWizardCLI.exe, sign using our internal OpenSSL CA and then reimport using NMCSecurityWizardCLI.exe. This gives me a bad argument error and fails.
  • Generate CSR using Security Wizard v1.04, sign using our OpenSSL CA and then reimport using Security Wizard again. This gives me an error -32. I've seen mention of it when people have this when not using the Web Server template from Windows Certificate Services, but not with OpenSSL.

I haven't even managed to get to the point where I can upload the certificate to the PDU. I've got a case open with APC about NMCSecurityWizard, but there doesn't seem to be any way to check the progress.

Looking at how poorly certificates have been handled for a long time now and the lack of progress perhaps it may be worth considering another vendors solution instead.

cdaniels_apc
Ensign
Ensign
0 Likes
0
1986

Re: Uploading Private SSL Certificates

This was originally posted on APC forums on 7/31/2020


Hey Scott ,

It does seem certificate management has been and is being handled poorly. We've been looking into solutions from CyberPower and their Remote Management Card. According to their Security Guide, you can upload your own certificate in the PEM format. I feel that APC should allow us to convert our existing certificates into the format that is accepted by their UPS. Come upgrade time and this capability is not met, we'll most likely end our support contract and buy from CyberPower.

BillP
Picard Picard
Picard
0 Likes
0
1986

Re: Uploading Private SSL Certificates

This reply was originally posted by Gavan on APC forums on 8/4/2020


Hi Scott, 

Can you tell me what your case number is and I can check its progress?

Can you also try using the following version of Security Wizard:

https://schneider-electric.box.com/s/ct021cml940zdj50al4zhocjyczf13v8

-Gavan

BillP
Picard Picard
Picard
0 Likes
0
1986

Re: Uploading Private SSL Certificates

This reply was originally posted by Gavan on APC forums on 8/4/2020


Hi Cody,

Please don't post unless your going to try and be helpful, Scott's issue is not the same as yours can can easily be resolved. 

-Gavan

cdaniels_apc
Ensign
Ensign
0 Likes
0
1986

Re: Uploading Private SSL Certificates

This was originally posted on APC forums on 8/4/2020


Hey Gavan ,

I feel my insights and knowledge are helpful in his or her situation. I provided links and research on products that would work within the environment, as described. A simple key conversion tool or just the ability to supply our keys in the standard format would subside many of the issues I linked and that are within the forum posts.

If my issue is easily solvable, would you be able to tell me how to upload a wildcard certificate to the NMC? When I attempt to upload the certificate, I get an error -32.

ScottBUK_apc
Ensign
Ensign
0 Likes
0
1993

Re: Uploading Private SSL Certificates

This was originally posted on APC forums on 8/5/2020


Hi Gavan,

That (older) version of NMCSecurityWizardCLI works. You might want to make that more easily accessible!

A note regarding the configuration of the certificates that someone else will hopefully find useful one day - I set keyUsage to keyEncipherment and digitalSignature. Enabling keyAgreement and/or nonRepudiation caused the PDU to get stuck 'Loading certificate...'

Also make sure you have a subjectKeyIdentifier.

Regards,

Scott

See Answer In Context

BillP
Picard Picard
Picard
0 Likes
0
1986

Re: Uploading Private SSL Certificates

This reply was originally posted by David on APC forums on 8/10/2020


I've spent days trying to figure out how to get an SSL certificate to load in our NMCs.  Scott's post above helped to put me on a path of enlightenment.

I used the NMC's self-signed certificate as a "MODEL" certificate of what it seemed to be accepting.  That's when I noticed the differences that I needed to correct.  Mainly the extended key usage definition, and the non-standard "critical" setting on the extended Key Usage and basicConstraints extensions.  But the biggest realization is that your CN and alt_names (SAN) has a huge impact on whether the certificate will be accepted or rejected.  I'd image this is what most people are having problems with. Since there is absolutely NO error feedback, it's virtually impossible to figure anything out without a LOT of trial and error.  Your programmers need to learn how to 1) provide an error message, 2) provide a useful error message when one is given.

I surely hope the information below will help others that are having NMC certificate problems.

Applies to:
0M-9631SY (AP9631): APC AOS v6.8.8
AP8959NA3: APC AOS v6.8.2

NMCSecurityWizardCLIUtility_v100.zip: 585,444 bytes
NMCSecurityWizardCLI.exe: 91,136 bytes
cl32.dll: 1,181,184 bytes

Example of a working Process:

0. Renamed NMCSecurityWizardCLI.exe to NMC.exe
1. Create CSR using NMC.exe:

C:\NMCcli>NMC --csr -o symmetra -n symmetra -c US -m Illinois -l Maywood -g "Company Name Inc" -u "Information Technology" -e it@companyname.com -a 192.168.10.2 -i http://www.companyname.com -d symmetra.companyname.com -k 1024

2. Renamed symmetra.p15 to symmetrak.p15
3. Transferred symmetra.csr to internal company CA host
4. We use openssl. Using the NMC's self-sign certificate as a "Model"
certificate for what the NMC seems to accept, we modified openssl.cnf
(in the "[ usr_cert ]" section) so that:

a. All Netscape options/extensions were disabled
b. ONLY X.509 extensions were allowed, in this exact order:

1. Subject Key Identifier - Entry in openssl.cnf: subjectKeyIdentifier=hash
2. Key Usage - Entry in openssl.cnf: keyUsage=critial,digitalSignature,keyEncipherment
3. Basic Constraints - Entry in openssl.cnf: basicConstraints=critical,CA:FALSE
4. Subject Alternative Name - Entry in openssl.cnf: subjectAltName=@alt_names

[ alt_names ]
DNS.1 = symmetra.companyname.com
DNS.2 = 192.168.10.2

5. Copy "symmetra.csr" to "/etc/pki/tls/misc/newreq.pem"
6. Signed the certificate request:

[/etc/pki/tls/misc]# ./CA.pl -sign

7. openssl creates a signed certificate and puts it in newcert.pem
8. Copy newcert.pem to symmetra.crt
9. Copy newcert.pem to ssymmetra.crt (short symmetra.crt)
10. Edit ssymmetra.crt to REMOVE the human-readable certificate information
BEFORE the "-----BEGIN CERTIFICATE-----" line. The NMCSecurityWizardCLI.exe
pukes when trying to create the .p15 file for upload and there is more
than just the base64 certificate information present in the certificate file.
11. Transfer ssymmetra.crt to Windows machine where NMC.exe exists, and the .p15
private is located when the CSR was created.

12. Create the certificate file for upload to the NMC:

C:\NMCcli>NMC --import -o symCERT -s ssymmetra.crt -p symmetrak

If successful, you'll get something like:

NMC Security Wizard Command Line Utility v1.0.0
(c) Copyright 2018 Schneider Electric. All rights reserved.
-----------------------------------------------------------------------------
Certificate's Issuer Information:
Common Name: Company Name Root CA
Country: US
State/Province: IL
Locality: Maywood
Organization: Company Name, Inc
Organizational Unit: www.companyname.com

Certificate's Subject Information:
Common Name: symmetra
Country: US
State/Province: Illinois
Locality: Maywood
Organization: Company Name Inc
Organizational Unit: Information Technology
Valid From: 08/05/2020 (GMT)
Valid To: 08/03/2030 (GMT)

Certificate's General Information:
Serial Number: 00:CB:45:34:3D:6E:DD:E8:F4
SHA1 Thumbprint: 21:69:81:CE:BB:58:53:C3:A8:EE:1A:8F:14:25:BD:E0:24:A7:5A:93

[*] Importing certificate 'symCERT' has successfully completed.

13. Connect to the NMC Web Interface, and login. Navigate to:

Configuration > Network > Web > SSL Certificate

Click the "Choose File" button. Navigate to the Windows
file where your "symCERT.p15" was created, and "Open" it.

14. The filename will be displayed next to the "Choose File" button.
Click "Apply" to load certificate into the NMC.

15. If all goes well, it will only take about 10 seconds for the
certificate to load. There is absolutely no good feed back in
the browser as to what happens. From extensive testing, I
found that 10 seconds usually meant it worked, and 60 seconds
meant that it failed.

If successfull, the NMC will immediately start to use it. You should logout and then login to the NMC fully utilize the new certificate.

If unsuccessful, the NMC will take about 60 seconds to regenerate a brand new self-cert and install it, and give control back to the
user. You'll see this if you inspect the cerificate after trying to connect to the NMC after 60 seconds. The cert will only be 2-3 minutes
old.

If successful, these will work:
https://symmetra.companyname.com
or https://192.168.10.2/

This will not work, you get a browser security warning:
https://symmetra

Plus you cannot add "symmetra" to the alt_names to get it to work.

This table took quite some time create, but will help to explain what APC support hasn't been able to figure out. When I create certificates, I
like to be able to use something like:

https://pdu.companyname.com
or https://192.168.10.2
or https://pdu/

In order to do that, you specify all three as alt_names. But if you use "pdu" as one of the entries for an alt_name, that causes the NMC
to REJECT the SSL certificate for some unknown reason. 

The APC NMC will also almost always reject the SSL Certificate if you use a FQDN for the CN. There is only one exception to that, and then that is NOT to use ANY alt-names.

This table outlines what works, and more importantly what does NOT work.

Result  Test    CN           AltName[1]    AltName[2]    AltName[3]
=====================================================================================
fails PDU1: pdu pdu.dom.com pdu bluepdu.dom.com (2 more)
fails PDU2: pdu pdu.dom.com pdu bluepdu.dom.com (2 more)
fails PDU3: pdu pdu.dom.com pdu 192.168.10.3
loads PDU4: pdu
loads PDU5: pdu.dom.com
loads PDU6: pdu pdu.dom.com
loads PDU6b: pdu pdu.dom.com 192.168.10.3
fails PDU6c: pdu pdu.dom.com 192.168.10.3 pdu
fails PDU7: pdu.dom.com pdu.dom.com pdu 192.168.10.3
fails PDU7b: pdu.dom.com pdu.dom.com pdu
FAILS PDU7c: pdu.dom.com pdu
fails PDU8: 5A1833E07049 pdu.dom.com pdu

fails: NMC card fails to load certificate, and generates a new self-signed cert.
loads: NMC card loads certificate, and immediately starts to use it in
about 10-15 seconds

Hopefully, APC will make this a less painful process. I wonder how many man-hours have been wasted trying to get a working certificate on a APC device.  

ScottBUK_apc
Ensign
Ensign
0 Likes
0
1986

Re: Uploading Private SSL Certificates

This was originally posted on APC forums on 8/10/2020


Interesting; I was able to get my NMC to accept a certificate that had the non-FQDN name as a SAN.

I created a script that automates it for me, happy to share the steps I used later on when I'm back at my PC.

ScottBUK_apc
Ensign
Ensign
0 Likes
0
1986

Re: Uploading Private SSL Certificates

This was originally posted on APC forums on 8/12/2020


So today I rolled out certificates to all my Rack PDUs (NMC2 AP9538 v6.8.2) and all worked fine with CN as FQDN mypdu.mydomain and SAN with FQDN mypdu.mydomain and hostname mypdu.

I also needed to put a certificate on a SmartUPS (NMC2 AP9631 v6.8.8) as well - and that didn't work. It accepted the certificate as valid (and if you connect via HTTP the SSL cert menu shows the certificate as valid, with it's details) but HTTPS is now broken and I'm no longer able to connect. 

No difference in the process for generating them at all.

I'll try tomorrow leaving off the SAN completely, but this already means that different processes/certificates work for different devices which is terrible!

ScottBUK_apc
Ensign
Ensign
1
1986

Re: Uploading Private SSL Certificates

This was originally posted on APC forums on 8/12/2020


If it helps anyone, here's what I did for my Rack PDUs using the version of NMCSecurityWizardCLI above (v1.0.0):

Create config file: mypdu.cfg containing:

basicConstraints = CA:FALSE
extendedKeyUsage = serverAuth
keyUsage = keyEncipherment, digitalSignature
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName = DNS:mypdu.mydomain, DNS:mypdu

Then run the following commands:

 

NMCSecurityWizardCLI --csr -o mypdu-csr -n mypdu.mydomain -c GB -m England -l County -g Org -u Dept -e contact@mydomain

openssl x509 -req -in mypdu-csr.csr -CA myca.crt -CAkey myca.key -CAcreateserial -out mypdu-cert.crt -extfile mypdu.cfg -days 3650

NMCSecurityWizardCLI --import -o mypdu-apc -s mypdu-cert.crt -p mypdu-csr

 

This gives you a mypdu-apc.p15 file that works with the Rack PDUs.

cdaniels_apc
Ensign
Ensign
0 Likes
0
1986

Re: Uploading Private SSL Certificates

This was originally posted on APC forums on 8/13/2020


Hey  Gavan ,

Still wondering if you can resolve my issue. How am I able to upload a pre-signed wildcard certificate to my NMC?

I look forward to your response.

BillP
Picard Picard
Picard
0 Likes
0
1986

Re: Uploading Private SSL Certificates

This reply was originally posted by Gavan on APC forums on 8/14/2020


Hi Cody,

As I've already stated pre-sign certificates are not supported nor are wildcard certificates. This is not going to change in the near to medium term.

-Gavan

cdaniels_apc
Ensign
Ensign
0 Likes
0
1986

Re: Uploading Private SSL Certificates

This was originally posted on APC forums on 8/14/2020


Yes, you did state that before, but now I'm confused. You said my problem could be easily resolved, what are you referring to?

BillP
Picard Picard
Picard
0 Likes
0
1986

Re: Uploading Private SSL Certificates

This reply was originally posted by Gavan on APC forums on 8/14/2020


If you read back on the posts I had asked you to not comment on other people's issues that were different to yours as their issues could be easily resolved. As you can see Scott's issue was easily resolved. 

I also commented that you could resolve your problem by deploying an internal PKI or CA.

ScottBUK_apc
Ensign
Ensign
0 Likes
0
1986

Re: Uploading Private SSL Certificates

This was originally posted on APC forums on 8/18/2020


I'm still having absolutely no success with certificates for an NMC2 in a SmartUPS 1500.

I've tried differing combinations of SAN, CN with FQDN/shortname etc without joy.

The PDU accepts the certificate and reports it as valid, however HTTPS connections are immediately reset by the PDU. It's the last device to get working, any help would be appreciated.

BillP
Picard Picard
Picard
0 Likes
0
1986

Re: Uploading Private SSL Certificates

This reply was originally posted by Gavan on APC forums on 8/18/2020


Can you post the command that your using to create the cert for the Smart-UPS and also the version of firmware it's on and I can try it hear and help narrow down the cause of the issue?

-Gavan

ScottBUK_apc
Ensign
Ensign
0 Likes
0
1986

Re: Uploading Private SSL Certificates

This was originally posted on APC forums on 8/18/2020


Create pdu-0.cfg containing:

basicConstraints = CA:FALSE
extendedKeyUsage = serverAuth
keyUsage = keyEncipherment, digitalSignature
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName = DNS:pdu-0.mydomain.net, DNS:pdu-0

Then running the commands:

NMCSecurityWizardCLI --csr -o pdu-0-csr -n pdu-0.mydomain.net -c GB -m England -l mytown -g myorg -u myorg-e support@mydomain.com

openssl x509 -req -in pdu-0-csr.csr -CA e:\ca.crt -CAkey e:\ca.key -CAcreateserial -out pdu-0-temp.crt -extfile pdu-0.cfg -days 3650

NMCSecurityWizardCLI --import -o pdu-0 -s pdu-0-temp.crt -p pdu-0-csr

As said I've tried various combinations involved SAN/no-SAN, FQDN, shortname, IP etc. The PDU accepts the certificate and reports "Valid Certificate" in the GUI, but HTTPS issues a reset as soon as the browser sends a TLS Client Hello.

Hardware Factory
Model Number: AP9631
Hardware Revision: 08
Manufacture Date: 07/08/2019
Application Module
Name: sumx
Version: v6.8.8
Date: May 4 2020
Time: 12:17:01
APC OS (AOS)
Name: aos
Version: v6.8.8
Date: Apr 28 2020
Time: 17:21:52
APC Boot Monitor
Name: bootmon
Version: v1.0.9
Date: Mar 27 2019
Time: 16:23:06
Regards,

Scott
BillP
Picard Picard
Picard
0 Likes
0
1986

Re: Uploading Private SSL Certificates

This reply was originally posted by Gavan on APC forums on 8/18/2020


Hi Scott,

You mentions PDU a few time but the application data says SUMX, so I take it the PDU is a mistake and that your actually talking about a Smart-UPS?

Either way I tested this with using the same card and the same firmware details that you have given, try the following:

pdu-0.cfg:

basicConstraints = CA:FALSE
extendedKeyUsage = serverAuth
keyUsage = keyEncipherment, digitalSignature
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName = DNS:pdu-0.mydomain.net

Commands:

NMCSecurityWizardCLI --csr -o pdu-0-csr -n pdu-0.mydomain.net -d pdu-0.mydomain.net -c GB -m England -l mytown -g myorg -u myorg

openssl x509 -req -in pdu-0-csr.csr -CA e:\ca.crt -CAkey e:\ca.key -CAcreateserial -out pdu-0-temp.crt -extfile pdu-0.cfg -days 3650

NMCSecurityWizardCLI --import -o pdu-0 -s pdu-0-temp.crt -p pdu-0-csr

*** Ensure "subjectAltName = DNS:xx.xxxx.xx" matches "-d xx.xxxx.xx

ScottBUK_apc
Ensign
Ensign
0 Likes
0
1986

Re: Uploading Private SSL Certificates

This was originally posted on APC forums on 8/18/2020


I've followed those steps exactly; the certificate is created and imported, but still causes HTTPS to die.

ScottBUK_apc
Ensign
Ensign
0 Likes
0
1986

Re: Uploading Private SSL Certificates

This was originally posted on APC forums on 8/18/2020


Given this only applies to one UPS (all our others are Rack PDUs which I have working) and the amount of time being spent on this (our CA is in a secure room under dual control, so is a manual task) I've decided to just disable HTTPS for now (HTTP is already disabled) and manage it via SSH, enabling HTTPS only for the times it's required.

There's no error messages (in fact even when HTTPS is broken, the UPS GUI reports the certificate is valid) and no logging.

APC really need to consider getting their act together with regards to certficate handling. It's terrible, no other device I've come across is this much of a pain. It's really not what you would consider an enterprise class device in that regard.

BillP
Picard Picard
Picard
0 Likes
0
1986

Re: Uploading Private SSL Certificates

This reply was originally posted by Gavan on APC forums on 8/19/2020


Hi Scott,

I've sent an email to you directly (provided the email given at sing-up is correct), I can help you do some more troubleshooting that you might not want put on a public forum.

-Gavan

ScottBUK_apc
Ensign
Ensign
0 Likes
0
1986

Re: Uploading Private SSL Certificates

This was originally posted on APC forums on 8/19/2020


Hi,

Thanks for the offer - I've actually managed to resolve this myself this morning. Seems NTP traffic was being blocked and the UPS date/time had got a couple of days behind.

Fixed NTP and all is well now!

Regards,

Scott

eirePunk_apc
Crewman
Crewman
0 Likes
0
1986

Re: Uploading Private SSL Certificates

This was originally posted on APC forums on 8/25/2020


I have a AP9631 and have been struggling with the SSL CLI utility. I have read a few places that the "APC Security Wizard" is required but I cannot find the download for it. 

I am able to generate the CSR then I go to my MS AD CA and request the cert no problem. When I go back to the CLI to run the import command, I get the following:

Unhandled Exception: cryptlib.CryptException: -3: Bad argument, parameter 3
at NMCSecurityWizardCLI.Program.ImportSignedCSR(String sCertFile, String sKeyFile, String sOutFile)
at NMCSecurityWizardCLI.Program.Main(String[] args)

The log says the cert was created. Then I go to the web interface for the NMC and upload the p15 file,  I always get "no file chosen." I tried downloading the CA file several different ways but to no avail. I feel like I am missing something silly. 

Sorry to chain off the thread. This was the most up to date thread I could find. 

Any advice or guidance would be appreciated.

Cheers!

ScottBUK_apc
Ensign
Ensign
0 Likes
0
1986

Re: Uploading Private SSL Certificates

This was originally posted on APC forums on 8/25/2020


Try using this version (1.0):

https://schneider-electric.box.com/s/sxlkk4nljylwnyjzno3trr1ilvz46e1r

I believe the newer v1.1 has some issues with the formatting of the files, so using v1.0 makes it easier - especially if you're scripting it.

BillP
Picard Picard
Picard
0 Likes
0
1986

Re: Uploading Private SSL Certificates

This reply was originally posted by Gavan on APC forums on 8/25/2020


Hi Timothy,

Can you try this guide:

https://schneider-electric.box.com/shared/static/np70ytdetyghut1hc1kpu7fw2mwi3yof.pdf

With this version of the software:

https://schneider-electric.box.com/s/ct021cml940zdj50al4zhocjyczf13v8

-Gavan

eirePunk_apc
Crewman
Crewman
0 Likes
0
1986

Re: Uploading Private SSL Certificates

This was originally posted on APC forums on 8/27/2020


WoW! That worked. Many thanks fellas!

I was looking at Chrome and the cert looks valid from that standpoint. When I look at the Dev Tools > Security tab, I see the following:

Connection - obsolete connection settings
The connection to this site is encrypted and authenticated using TLS 1.2, ECDHE_RSA with P-384, and AES_128_CBC with HMAC-SHA1.
  • AES_128_CBC is obsolete. Enable an AES-GCM-based cipher suite.

Sorry for the silly question, is that something that is controlled by the MS AD CA or CSR?

Cheers!

BillP
Picard Picard
Picard
0 Likes
0
1986

Re: Uploading Private SSL Certificates

This reply was originally posted by Gavan on APC forums on 8/27/2020


Good to hear that worked for you!

To answer your question, no that's not something in your control, the NMC2 hardware is starting to show it's age and can no longer keep up with the most modern ciphers, this is in-fact the main reason why the NMC3 has been released.

The NMC2 is still supported and will get updates (for the next year or two, I'm not exactly sure) but it's running close to it max, the NMC3 on the other hand comes with a lot more processing power and will able to keep up with changes in encryption standards for many years.

-Gavan 

eirePunk_apc
Crewman
Crewman
0 Likes
0
1986

Re: Uploading Private SSL Certificates

This was originally posted on APC forums on 8/28/2020


That makes sense. I understand the equipment is getting older. This is me tinkering in my lab trying to learn more and more. Thank you!

That being said... 🙂 If you can't help, I totally understand...

I have a AP7830 and wanted to put certs on that. I am positive those encryption variants are old, weak, and deprecated. I figure better something than nothing. Do you have any guides or tricks up your sleeve for those? I tried the version of the CLI utility to no avail. Is the Security Wizard app required for the PDUs? I am running the 3.9.2 firmware. I believe that was the newest/latest version?

Thanks a thousand!

noahajac_apc
Crewman
Crewman
0 Likes
0
1986

Re: Uploading Private SSL Certificates

This was originally posted on APC forums on 8/30/2020


This thread is getting hijacked/derailed. If someone has a completely different issue than why is it being posted about here?

I agree with  Cody . It is frankly unacceptable that at this day and age APC doesn't have a method for paying customers to be able to use standard SSL certificates/keys that are accepted pretty much everywhere else. I have never heard of this p15 format until I got this UPS and judging by the extreme lack of tools and documentation on the web, I'd be willing to be most others haven't heard of it either.

It is extremely frustrating that there have been no real solutions given on any of the forum posts made here about this problem. There is no excuse for APC to at least not create some form of conversion tool.

I apologize if I'm coming off strong however I've been dealing with this for hours at this point and the only thread I found with any hope left has been derailed with a completely different issue.

BillP
Picard Picard
Picard
0 Likes
0
1986

Re: Uploading Private SSL Certificates

This reply was originally posted by Gavan on APC forums on 8/31/2020


Hi Noah,

With the exception of Cody everyone else who has posted here has been given a solution to their problem and there is literally four links to a step by step guide with every step "screenshotted". 

If you just post what your issue is then I'll be happy to help you.

-Gavan  

noahajac_apc
Crewman
Crewman
0 Likes
0
1986

Re: Uploading Private SSL Certificates

This was originally posted on APC forums on 8/31/2020


So on my network there is a central server running certbot that issues and pushes Let's Encrypt signed HTTPS certs to local devices. What I need to do is to be able to have certbot issue and automatically apply a cert for my NMC.

What I have tried:

  • Using 3rd party tools such as this one to convert the PEM files from certbot into p15 files for the NMC. This fails with an error while attempting the conversion.
  • Running the APC CLI tool in Wine and passing the csr to certbot using the "certonly" command. Now this process does output a p15 that is uploadable to the NMC. But once applied I can no longer connect to it via HTTPS and keep getting "PR_CONNECT_RESET_ERROR". In addition to not being able to connect, there is no proper way to setup automatic renewals with certbot where the CSR can be passed. However this may be able to be bypassed by having it reuse the private key.

The end goal is to have automatic cert renewals on my certbot server for the NMC. What I really would like is the ability to pass a private key, cert, and CA chain file without needing to deal with CSRs. However if that is not possible I'd at least like to figure out why I'm getting this connection reset error.

Thank you for your time.

ScottBUK_apc
Ensign
Ensign
0 Likes
0
1986

Re: Uploading Private SSL Certificates

This was originally posted on APC forums on 8/31/2020


Check the time is right on your NMC. That caught me out!

BillP
Picard Picard
Picard
0 Likes
0
1986

Re: Uploading Private SSL Certificates

This reply was originally posted by Gavan on APC forums on 9/1/2020


Have you considered just using an internal CA?

It takes about 10-15 minutes to set one up using OpenSSL (since your using Linux) and will allow you to set you're own validity period? I mean what's better than auto renewal, never needing to renew and really the only reason you'd use an externally signed certificate is if you plan on have the server be publicly accessible and under no circumstance could I ever recommend an NMC being exposed to the Internet in that way.

-Gavan

noahajac_apc
Crewman
Crewman
0 Likes
0
1986

Re: Uploading Private SSL Certificates

This was originally posted on APC forums on 9/2/2020


That was it. Thanks!

noahajac_apc
Crewman
Crewman
0 Likes
0
1986

Re: Uploading Private SSL Certificates

This was originally posted on APC forums on 9/2/2020


I've thought of it however my network is setup where multiple devices can access different services via HTTPS and I can't necessarily change the certificate store on those devices.

BillP
Picard Picard
Picard
0 Likes
0
1986

Re: Uploading Private SSL Certificates

This reply was originally posted by Gavan on APC forums on 9/2/2020


Hi Noah,

If you find a way to automate the creation of the certificates then this might be useful to you.

The upload process can be automated by using FTP/SCP to connect to the NMC and placing the signed .p15 file in the SSL directory. You don't need to delete the existing cert it will be automatically overwritten.

One thing to watch is that the certs name needs to be in the 8.3 format, I can't remember if the NMC needs to be rebooted afterwards but it's just an SSH command to reboot them.

-Gavan

noahajac_apc
Crewman
Crewman
0
1986

Re: Uploading Private SSL Certificates

This was originally posted on APC forums on 9/4/2020


Thank you for the advice.

I got a system working I'm happy with. For the sake of others who come here I'll put some more info below.

  • I use Certbot on CentOS 8. If you use another ACME client there's a good chance there's functionality for auto-renewal of CSR based certs already built-in.
  • I already have a domain on auto-renewal so I can just use post hooks to create and sign the cert for the NMC. If you're using Certbot just for the NMC, then I suggest you switch to another ACME client as mentioned above.
  • Wine is needed to run the NMC tool. If you're on CentOS like me Red Hat has made it a giant pain as in their infinite wisdom they decided to not keep 32-bit versions in their repos. I wound up using the Raven Extras repo and manually installed the i686 version of wine, wine-core, etc.
  1. Create the following directories: "/etc/letsencrypt-APC", "/var/log/letsencrypt-APC", and "/var/lib/letsencrypt-APC" with the reason being certbot won't run multiple instances at the same directories and this script will be ran from a post-hook.
  2. Run "cp -r /etc/letsencrypt/accounts /etc/letsencrypt-APC"
  3. Create the directory "/etc/letsencrypt-ATC/live/"
  4. Create the script /etc/letsencrypt/renewal-hooks/post/APC and fill with 

#!/bin/bash

if [[ $RENEWED_DOMAINS == *"DOMAIN"* ]]; then
  /usr/bin/rm -f /etc/letsencrypt-APC/live/DOMAIN/*
  cd /opt/APC
  /usr/bin/wine /opt/APC/NMCSecurityWizardCLI.exe --csr -o Z:\\etc\\letsencrypt-APC\\live\\DOMAIN\\APC-unsigned -c US -g ORG -n DOMAIN 2>/dev/null
  /usr/bin/certbot certonly -n --config-dir /etc/letsencrypt-APC --work-dir /var/lib/letsencrypt-APC --logs-dir /var/log/letsencrypt-APC --cert-path /etc/letsencrypt-APC/live/DOMAIN/APC-signed.pem --fullchain-path /etc/letsencrypt-APC/live/DOMAIN/APC-signed-fullchain.pem --chain-path /etc/letsencrypt-APC/live/DOMAIN/APC-signed-chain.pem -d DOMAIN --csr /etc/letsencrypt-APC/live/DOMAIN/APC-unsigned.csr
  /usr/bin/wine /opt/APC/NMCSecurityWizardCLI.exe --import -o Z:\\etc\\letsencrypt-APC\\live\\DOMAIN\