APC UPS Data Center & Enterprise Solutions Forum
Schneider, APC support forum to share knowledge about installation and configuration for Data Center and Business Power UPSs, Accessories, Software, Services.
Posted: ‎2021-07-01 05:05 AM . Last Modified: ‎2024-03-05 01:47 AM
Link copied. Please paste this link to share this article on your social media post.
Posted: ‎2021-07-01 05:05 AM . Last Modified: ‎2024-03-05 01:47 AM
In order to secure web traffic to our UPS units we would like to use HTTPS. As we have a corporate Microsoft PKI, we would like to issue our own certificates instead of using self-signed ones.
Via the NMC Security Wizard application we are able to generate CSRs for the UPS network management cards that we have inserted into our Smart UPS units. By submitting these against the default "WebServer" Microsoft PKI certificate template, we can use our corporately-issued certificates with the UPS NMCs. The problem is that this is a very manual process. If we only had a couple of networked UPS units then it wouldn't be that big a deal, but we have many UPS units deployed to many locations.
How can we automate the CSR creation process? It would not be difficult to create a CSV containing the information for each CSR. Once CSRs and key files were output we could bulk submit to our corporate PKI via command line tools.
How can we also then automate the final import of the PKI-issued certificates into the Security Wizard? Again, it would not be hard to make a CSV with the relevant fields populated, but the application would need to support bulk processing via CSV or another method.
Uploading the final "Security Wizard-processed" certificate to the UPS NMC is always going to be a manual process, but we could at least live with that if we didn't have 3x the tedium by manually creating the CSRs and later manually importing the issued certificates into the Security Wizard.
The Microsoft default "WebServer" template is only good for 2 years and the NMCs don't appear to like custom web server templates from what we've actually witnessed and also from people's accounts on the internet. We're therefore going to be stuck doing this every 2 years, so the more automated a process it could be, the better.
Please advise if it is possible to bulk issue CSRs and process the resulting issued certificates, and if not, when that feature will be available. It would also be very useful for APC to supply Microsoft PKI template guidelines for that end users / companies could use create their own templates supporting expiration dates further than only 2 years out. Any attempt to use a custom web server template seems to result in an error "-32" failure when doing the signed certificate import into the security wizard application. The current error message does not help isolate what issues the security wizard has with the custom template-issued certificate, so it is not possible to fix any problems in order to create a valid custom web server template.
Link copied. Please paste this link to share this article on your social media post.
Posted: ‎2021-07-01 05:07 AM . Last Modified: ‎2024-03-05 01:46 AM
Link copied. Please paste this link to share this article on your social media post.
Posted: ‎2021-07-01 05:07 AM . Last Modified: ‎2024-03-05 01:46 AM
Are these tools still available. We have over 600 devices that we need to push wild card certificates to which would be a time consuming task.
Link copied. Please paste this link to share this article on your social media post.
Link copied. Please paste this link to share this article on your social media post.
Posted: ‎2021-07-01 05:05 AM . Last Modified: ‎2024-03-05 01:47 AM
We can provide a tool, that is not public, to generate wildcard certificates. It also provides a utility to push this out via FTP.
I looked up your case and had created a knowledge base for one issue you encountered: http://www.schneider-electric.com/support/index?page=content&country=US〈=en&locale=en_US&id=FA235654
If wild card certificates (the generic certificates) are OK, I will direct message you on here a link to download those tools via Box to see if they will work for you.
Link copied. Please paste this link to share this article on your social media post.
Posted: ‎2021-07-01 05:05 AM . Last Modified: ‎2024-03-05 01:47 AM
Link copied. Please paste this link to share this article on your social media post.
Posted: ‎2021-07-01 05:05 AM . Last Modified: ‎2024-03-05 01:47 AM
Read the FA176542 good work, spent many hours on that problem.
Yes could you send me the link. Thanks.
Link copied. Please paste this link to share this article on your social media post.
Link copied. Please paste this link to share this article on your social media post.
Posted: ‎2021-07-01 05:05 AM . Last Modified: ‎2024-03-05 01:47 AM
OK, I sent it, let me know if you don't see it in your direct messages on here.
Link copied. Please paste this link to share this article on your social media post.
Posted: ‎2021-07-01 05:06 AM . Last Modified: ‎2024-03-05 01:47 AM
Link copied. Please paste this link to share this article on your social media post.
Posted: ‎2021-07-01 05:06 AM . Last Modified: ‎2024-03-05 01:47 AM
In order to secure web traffic to our UPS units we would like to use HTTPS. As we have a corporate Microsoft PKI, we would like to issue our own certificates instead of using self-signed ones.
Via the NMC Security Wizard application we are able to generate CSRs for the UPS network management cards that we have inserted into our Smart UPS units. By submitting these against the default "WebServer" Microsoft PKI certificate template, we can use our corporately-issued certificates with the UPS NMCs. The problem is that this is a very manual process. If we only had a couple of networked UPS units then it wouldn't be that big a deal, but we have many UPS units deployed to many locations.
How can we automate the CSR creation process? It would not be difficult to create a CSV containing the information for each CSR. Once CSRs and key files were output we could bulk submit to our corporate PKI via command line tools.
How can we also then automate the final import of the PKI-issued certificates into the Security Wizard? Again, it would not be hard to make a CSV with the relevant fields populated, but the application would need to support bulk processing via CSV or another method.
Uploading the final "Security Wizard-processed" certificate to the UPS NMC is always going to be a manual process, but we could at least live with that if we didn't have 3x the tedium by manually creating the CSRs and later manually importing the issued certificates into the Security Wizard.
The Microsoft default "WebServer" template is only good for 2 years and the NMCs don't appear to like custom web server templates from what we've actually witnessed and also from people's accounts on the internet. We're therefore going to be stuck doing this every 2 years, so the more automated a process it could be, the better.
Please advise if it is possible to bulk issue CSRs and process the resulting issued certificates, and if not, when that feature will be available. It would also be very useful for APC to supply Microsoft PKI template guidelines for that end users / companies could use create their own templates supporting expiration dates further than only 2 years out. Any attempt to use a custom web server template seems to result in an error "-32" failure when doing the signed certificate import into the security wizard application. The current error message does not help isolate what issues the security wizard has with the custom template-issued certificate, so it is not possible to fix any problems in order to create a valid custom web server template.
Link copied. Please paste this link to share this article on your social media post.
Link copied. Please paste this link to share this article on your social media post.
Posted: ‎2021-07-01 05:06 AM . Last Modified: ‎2024-03-05 01:47 AM
I will contact you via direct message if that's OK. We have some tools available that we made available for another issue outlined in the knowledge base (Network Management Card 1 (NMC1) Information Bulletin: Effects of Microsoft Windows Critical Update ...)(that are not publicly released yet) and I think they may solve your issue. They should be provided publicly at some point but they just have not gone through an official release process.
What we can offer is the ability to use wild card certificates (if accepted within your organization even though not technically a "great" option) and a tool in order to "mass push" certs to devices.
Link copied. Please paste this link to share this article on your social media post.
Link copied. Please paste this link to share this article on your social media post.
Posted: ‎2021-07-01 05:06 AM . Last Modified: ‎2024-03-05 01:47 AM
Yes, I will send the link to you via Direct Message here.
Link copied. Please paste this link to share this article on your social media post.
Posted: ‎2021-07-01 05:06 AM . Last Modified: ‎2024-03-05 01:47 AM
Link copied. Please paste this link to share this article on your social media post.
Posted: ‎2021-07-01 05:06 AM . Last Modified: ‎2024-03-05 01:47 AM
Thanks Angela,
When I use the tool to create a wild card certificate I keep receiving this message.
I have checked and both my RA and CSR are using *my.domain as the CN. I'm using EJBCA to generate the signed cert.
Invalid Certificate CN.
Expected: *.my.domain
Actual: 0 Ÿ0 *†H†ý
Link copied. Please paste this link to share this article on your social media post.
Link copied. Please paste this link to share this article on your social media post.
Posted: ‎2021-07-01 05:06 AM . Last Modified: ‎2024-03-05 01:47 AM
So are you essentially trying to issue a self signed certificate almost? Like issued by *.mydomain.com to *.mydomain.com (because I don't think that will be allowed)?
If not, I am not sure I am understanding and was wondering if you could provide a screenshot so I could understand better.
Link copied. Please paste this link to share this article on your social media post.
Posted: ‎2021-07-01 05:06 AM . Last Modified: ‎2024-03-05 01:46 AM
Link copied. Please paste this link to share this article on your social media post.
Posted: ‎2021-07-01 05:06 AM . Last Modified: ‎2024-03-05 01:46 AM
Thanks for the Reply,
So the DNS to my PDU is ef-dc-pdu1.mydomain.com
1. Within the security tool I select create CSR request I then entering *.mydomain.com as the common name.
2. Then in EJBCA I create an RA request using the common name *.mydomain.com
3. Within EJBCA I sign the certificate which generates a PEM file
4.I use openssl to convert the PEM file to cer\crt
5.I open the security tool to import my signed certificate and choose my original key file
6. When the tool tries combine files I get the error
Expected: *.my.domain
Actual: 0 Ÿ0 *†H†ý
Note this same process works fine when I don't use a wildcard and just have ef-dc-pdu1.mydomain.com as the common name.
Perhaps the wildcard should be in a subject alternative name?
Link copied. Please paste this link to share this article on your social media post.
Link copied. Please paste this link to share this article on your social media post.
Posted: ‎2021-07-01 05:06 AM . Last Modified: ‎2024-03-05 01:46 AM
Can you give me the exact screenshot from step #6? I've never seen that before and you're saying it comes from the APC security wizard?
Also, so I can make sure we're on the same page, EJBCA is your certificate authority and what is "RA?"
Link copied. Please paste this link to share this article on your social media post.
Posted: ‎2021-07-01 05:06 AM . Last Modified: ‎2024-03-05 01:46 AM
Link copied. Please paste this link to share this article on your social media post.
Posted: ‎2021-07-01 05:06 AM . Last Modified: ‎2024-03-05 01:46 AM
Subject of my CER file - CN = *.mgt.wotifgroup.com
EJBCA = Open Source PKI Certificate Authority
RA = Registration Authority
"A registration authority (RA) is an authority in a network that verifies user requests for adigital certificateand tells the certificate authority (CA) to issue it."
Link copied. Please paste this link to share this article on your social media post.
Link copied. Please paste this link to share this article on your social media post.
Posted: ‎2021-07-01 05:06 AM . Last Modified: ‎2024-03-05 01:46 AM
Thank you for the extra detail! I see now.
I don't think you're doing anything wrong. If anything, I think there is a problem perhaps during the conversion or something in the wizard. I assume your CA only offers PEM output and that is why you are using OpenSSL to convert it to .cer/crt which is accepted by the wizard?
Just curious if you can get this to work properly if you use a CA made by the wizard too, just as a test?
Then I go back to the fact that said if you use the CN of your actual PDU (ef-dc-pdu1.mydomain.com), it works fine...
Link copied. Please paste this link to share this article on your social media post.
Posted: ‎2021-07-01 05:06 AM . Last Modified: ‎2024-03-05 01:46 AM
Link copied. Please paste this link to share this article on your social media post.
Posted: ‎2021-07-01 05:06 AM . Last Modified: ‎2024-03-05 01:46 AM
HI Angela,
Could you also send this tool to me? I have 25 PDUs to create CSR and certificates for.
Thanks Heaps
Link copied. Please paste this link to share this article on your social media post.
Posted: ‎2021-07-01 05:06 AM . Last Modified: ‎2024-03-05 01:46 AM
Link copied. Please paste this link to share this article on your social media post.
Posted: ‎2021-07-01 05:06 AM . Last Modified: ‎2024-03-05 01:46 AM
Hey Angela,
I need to deploy certs to like a 100 UPS`s, is this tool still availible?
Link copied. Please paste this link to share this article on your social media post.
Link copied. Please paste this link to share this article on your social media post.
Posted: ‎2021-07-01 05:06 AM . Last Modified: ‎2024-03-05 01:46 AM
Yes, I can message a download link to you if you add me as a friend.
Link copied. Please paste this link to share this article on your social media post.
Link copied. Please paste this link to share this article on your social media post.
Posted: ‎2021-07-01 05:06 AM . Last Modified: ‎2024-03-05 01:46 AM
Hi Angela,
could you send me a copy of these two tools please as well?
Greatly appreciated!
(I can't access your profile because it is private)
Link copied. Please paste this link to share this article on your social media post.
Link copied. Please paste this link to share this article on your social media post.
Posted: ‎2021-07-01 05:06 AM . Last Modified: ‎2024-03-05 01:46 AM
Hi Benjamin,
Yes, I'll send you a download link. My profile is private since I have recently moved to a new role within Schneider and am not spending as much time on this site as part of my daily duties.
Link copied. Please paste this link to share this article on your social media post.
Posted: ‎2021-07-01 05:06 AM . Last Modified: ‎2024-03-05 01:46 AM
Link copied. Please paste this link to share this article on your social media post.
Posted: ‎2021-07-01 05:06 AM . Last Modified: ‎2024-03-05 01:46 AM
Hi, Angela. We need update SSL certificates on 500+ APC NMC (AP961X and AP963X). Could you send me link to your utilities for bulk generate and upload SSL certificates? Thank you!
Link copied. Please paste this link to share this article on your social media post.
Posted: ‎2021-07-01 05:06 AM . Last Modified: ‎2024-03-05 01:46 AM
Link copied. Please paste this link to share this article on your social media post.
Posted: ‎2021-07-01 05:06 AM . Last Modified: ‎2024-03-05 01:46 AM
We have a couple dozen NMCs with more on the way. This tool would be very handy.
Link copied. Please paste this link to share this article on your social media post.
Link copied. Please paste this link to share this article on your social media post.
Posted: ‎2021-07-01 05:06 AM . Last Modified: ‎2024-03-05 01:46 AM
Hi Cory,
You can obtain these tools from tech support via/phone or email. As mentioned above we can give a special APC Security Wizard tool versopn to make wild card certificates and a tool to mass push SSL certs via FTP.
Link copied. Please paste this link to share this article on your social media post.
Posted: ‎2021-07-01 05:07 AM . Last Modified: ‎2024-03-05 01:46 AM
Link copied. Please paste this link to share this article on your social media post.
Posted: ‎2021-07-01 05:07 AM . Last Modified: ‎2024-03-05 01:46 AM
Hello,
can You please also let me have this tool?
It seems, that it works properly with our old firmware NMC-s (AP9630/9631 with sumx version 6.2.0).
However it seems, that the exact same certificate (created by the instructions on mikeshellenberg.wordpress.org) that was working properly with this 6.2.1 is invalid with version v6.4.6. So in the future I think either the configuratino wizzard has to be modified, or the best would be to issue the request (csr) from the firmware, and have the .cer file imported?
Thanks and best regards
Zoltan
Link copied. Please paste this link to share this article on your social media post.
Link copied. Please paste this link to share this article on your social media post.
Posted: ‎2021-07-01 05:07 AM . Last Modified: ‎2024-03-05 01:46 AM
Hi,
Based on what you're describing, I do not think the tools we have will help unfortunately. We have a tool that allows a user to create a wild card certificate so if you do want to do that to work around the issue you're explaining with your existing certificate and use a wild card SSL certificate instead, then yes, we can provide it.
The issue of the certificate working on 6.2.1 and not working with 6.4.6 though is likely something due to the crypt library upgrade we did on the firmware. Are you using a Microsoft CA to issue these? We have identified a few issues relating to Microsoft issued certificates that either provides a -32 error on security wizard or causes the certificate to get rejected by theNMC itself after the .cer is imported. The special tools we can provide will not fix this problem and we are in the middle of making other updates and fixes that will address it. Part of what I explained is here -> http://www.apc.com/us/en/faqs/FA285378
There are limitations to the methods we can provide customers to create and import SSL certificates based on the inner workings of the crypt library unfortunately. These limitations won't allow for what you said about creating a .csr from the firmware and importing into .cer format. Believe me, I wish it was that easy
So, if you can clarify what you are going to need the tools mentioned here for, then we can decide if they are likely to help you or not and decide how to move forward.
Link copied. Please paste this link to share this article on your social media post.
Posted: ‎2021-07-01 05:07 AM . Last Modified: ‎2024-03-05 01:46 AM
Link copied. Please paste this link to share this article on your social media post.
Posted: ‎2021-07-01 05:07 AM . Last Modified: ‎2024-03-05 01:46 AM
Any chance you could send the tool over my way, need to push out a number of certs to a new office build.
Thanks!
Josh
Link copied. Please paste this link to share this article on your social media post.
Posted: ‎2021-07-01 05:07 AM . Last Modified: ‎2024-03-05 01:46 AM
Link copied. Please paste this link to share this article on your social media post.
Posted: ‎2021-07-01 05:07 AM . Last Modified: ‎2024-03-05 01:46 AM
For those of you trying to generate APC certificates with Active Directory Certificate Services, you must use the Web Server template. The principal drawback to this template is that it is limited to 2 years and the template cannot be edited through the management tool. Duplicating the template and regenerating the APC certificate will invoke the dreaded -32 error. After spending two days trying to find a work around, I found a simple way to edit the lifespan. Assuming that you are using AD integrated Enterprise CA, do the following:
1. Using ADSI Edit, Navigate to CN=Services,CN=Public Key Services,CN=Certificate Templates,CN=Configuration,DC={your domain|,DC=com
2. In CN=Web Server, edit pKIExpirationPeriod property. It is in 64 bit FILETIME format. The easiest way to calculate your expiration period is to set it on a modifiable template and then just copy that one over to the Web Server property. In my case, I wanted 10 years which is 00 80 3C 48 D1 CB F4 FF
3. Regenerate your APC certificate and it will have the new expiration date.
I hope this helps. I did not want to have to regenerate a ton of certificates in 2 years.
Link copied. Please paste this link to share this article on your social media post.
Posted: ‎2021-07-01 05:07 AM . Last Modified: ‎2024-03-05 01:46 AM
Link copied. Please paste this link to share this article on your social media post.
Posted: ‎2021-07-01 05:07 AM . Last Modified: ‎2024-03-05 01:46 AM
Are these tools still available. We have over 600 devices that we need to push wild card certificates to which would be a time consuming task.
Link copied. Please paste this link to share this article on your social media post.
Create your free account or log in to subscribe to the board - and gain access to more than 10,000+ support articles along with insights from experts and peers.