APC UPS Data Center & Enterprise Solutions Forum
Schneider, APC support forum to share knowledge about installation and configuration for Data Center and Business Power UPSs, Accessories, Software, Services.
Link copied. Please paste this link to share this article on your social media post.
Posted: 2021-07-29 11:29 PM . Last Modified: 2024-01-29 11:37 PM
Our InfoSec team has highlighted a security vulnerability in our AP8635 running code 6.8.0, with the following details
SSL Certificate Signed Using Weak Hashing Algorithm:
|
I have tried re issuing the certificate but i could not see any options regarding the cryptography, is there any way to adjust the above?
Link copied. Please paste this link to share this article on your social media post.
Link copied. Please paste this link to share this article on your social media post.
Posted: 2021-07-29 11:29 PM . Last Modified: 2024-01-29 11:37 PM
Hello Gavan!
I have managed to successfully import the SSL certificate to the device!!
After some collaboration with the sysadmin team we found out that the signed certificate needed a special template from the CA that include enhanced key usage
Thank you very much for you help here
Have a lovely weekend
Regards
Stavros
Link copied. Please paste this link to share this article on your social media post.
Link copied. Please paste this link to share this article on your social media post.
Posted: 2021-07-29 11:29 PM . Last Modified: 2024-01-29 11:37 PM
Hi Stavros,
You'll need to create your own certificate making sure that your enterprise CA issues the appropriate certificate.
SecWizCLI
https://schneider-electric.app.box.com/file/603908305568
How To;
https://schneider-electric.box.com/s/nri2472wb3n6gtngnc2irqp41tx6j6bq
I'd also note that FW6.8.0 has more vulnerabilities that you have not listed, please upgrade your device to FW6.9.6:
https://www.se.com/ww/en/faqs/FA410359/
-Gavan
Link copied. Please paste this link to share this article on your social media post.
Link copied. Please paste this link to share this article on your social media post.
Link copied. Please paste this link to share this article on your social media post.
Link copied. Please paste this link to share this article on your social media post.
Posted: 2021-07-29 11:29 PM . Last Modified: 2024-01-29 11:37 PM
There is a link in my first post.
Link copied. Please paste this link to share this article on your social media post.
Link copied. Please paste this link to share this article on your social media post.
Posted: 2021-07-29 11:29 PM . Last Modified: 2024-01-29 11:37 PM
Hi Gavan
I am restricted by company policy to visit box.com as it falls into the category of file sharing.
Is there a link hosted by APC anywhere?
Thanks
Stavros
Link copied. Please paste this link to share this article on your social media post.
Link copied. Please paste this link to share this article on your social media post.
Posted: 2021-07-29 11:29 PM . Last Modified: 2024-01-29 11:37 PM
To be honest we use box.com for most things, I'm not sure if it is somewhere else.
Can you try a personal computer or hotspot?
-Gavan
Link copied. Please paste this link to share this article on your social media post.
Link copied. Please paste this link to share this article on your social media post.
Posted: 2021-07-29 11:29 PM . Last Modified: 2024-01-29 11:37 PM
Hello Gavan
Many thanks for replying, I have managed to put the software on the work computer.
I have successfully upgraded my AP8653 to version 6.9.6.
I had a lot of troubles with the NMCSecurityWizardCLIUtility.
First of all, version 1.0.1 does not work and throws an unhandled exception like this when trying to import the cert:
NMC Security Wizard Command Line Utility v1.0.1 (c) Copyright 2018 Schneider Electric. All rights reserved. ----------------------------------------------------------------------------- Unhandled Exception: cryptlib.CryptException: -3: Bad argument, parameter 3 at NMCSecurityWizardCLI.Program.ImportSignedCSR(String sCertFile, String sKeyFile, String sOutFile) at NMCSecurityWizardCLI.Program.Main(String[] args)
In order to successfully import the certificate I had to use version 1.0.0 found here.
After successfully creating the *.p15 cert using the signed cert and private key I tried to import to the NMC2 and the status was stuck at "Loading certificate...."
In the event logs I saw the following
02/19/2021 | 12:57:55 | System | SSL: Certificate generation complete. |
02/19/2021 | 12:56:30 | System | SSL: Certificate generation started. |
02/19/2021 | 12:56:29 | System | SSL Error: Invalid certificate. |
I saw on this forum post, that other people had my problem in earlier versions of AOS but there was no solution other than downgrading.
We are using Microsoft CA and web server template to sign the certificate
Has there ever been a solution? What else can I try in order to successfully import the certificate?
Thanks
Stavros
Link copied. Please paste this link to share this article on your social media post.
Link copied. Please paste this link to share this article on your social media post.
Posted: 2021-07-29 11:29 PM . Last Modified: 2024-01-29 11:37 PM
That forum post listed wouldn't have an impact on what you trying to do.
Did you follow the guide attached?
I see that you have also create a ticket for your issues, I'd advise that you upload the unsigned .p15, CSR, cer/crt returned from your CA and the signed .p15 to the case as well as the command used to create it.
-Gavan
Link copied. Please paste this link to share this article on your social media post.
Link copied. Please paste this link to share this article on your social media post.
Posted: 2021-07-29 11:29 PM . Last Modified: 2024-01-29 10:27 PM
Hello Gavan
I believe I followed the guide by the letter. It would be good if the error gave a little bit more information.
I have not opened a case myself. I have although asked my reseller about this so he might have opened one
I will try re doing the procedure on a different device with a different version and come back here with the results. Is there anything else I can do?
Regards,
Stavros
Link copied. Please paste this link to share this article on your social media post.
Link copied. Please paste this link to share this article on your social media post.
Posted: 2021-07-29 11:29 PM . Last Modified: 2024-01-29 11:37 PM
Hello Gavan!
I have managed to successfully import the SSL certificate to the device!!
After some collaboration with the sysadmin team we found out that the signed certificate needed a special template from the CA that include enhanced key usage
Thank you very much for you help here
Have a lovely weekend
Regards
Stavros
Link copied. Please paste this link to share this article on your social media post.
Create your free account or log in to subscribe to the board - and gain access to more than 10,000+ support articles along with insights from experts and peers.