Bulk / Command Line Options for Generating CSRs and Certificates for UPS Network Management Cards?

This was originally posted on APC forums on 10/24/2014

Read the FA176542 good work, spent many hours on that problem.

Yes could you send me the link. Thanks.

This reply was originally posted by Angela on APC forums on 10/27/2014

OK, I sent it, let me know if you don't see it in your direct messages on here.

This was originally posted on APC forums on 1/13/2014

In order to secure web traffic to our UPS units we would like to use HTTPS. As we have a corporate Microsoft PKI, we would like to issue our own certificates instead of using self-signed ones.

Via the NMC Security Wizard application we are able to generate CSRs for the UPS network management cards that we have inserted into our Smart UPS units. By submitting these against the default "WebServer" Microsoft PKI certificate template, we can use our corporately-issued certificates with the UPS NMCs. The problem is that this is a very manual process. If we only had a couple of networked UPS units then it wouldn't be that big a deal, but we have many UPS units deployed to many locations.

How can we automate the CSR creation process? It would not be difficult to create a CSV containing the information for each CSR. Once CSRs and key files were output we could bulk submit to our corporate PKI via command line tools.

How can we also then automate the final import of the PKI-issued certificates into the Security Wizard? Again, it would not be hard to make a CSV with the relevant fields populated, but the application would need to support bulk processing via CSV or another method.

Uploading the final "Security Wizard-processed" certificate to the UPS NMC is always going to be a manual process, but we could at least live with that if we didn't have 3x the tedium by manually creating the CSRs and later manually importing the issued certificates into the Security Wizard.

The Microsoft default "WebServer" template is only good for 2 years and the NMCs don't appear to like custom web server templates from what we've actually witnessed and also from people's accounts on the internet. We're therefore going to be stuck doing this every 2 years, so the more automated a process it could be, the better.

Please advise if it is possible to bulk issue CSRs and process the resulting issued certificates, and if not, when that feature will be available. It would also be very useful for APC to supply Microsoft PKI template guidelines for that end users / companies could use create their own templates supporting expiration dates further than only 2 years out. Any attempt to use a custom web server template seems to result in an error "-32" failure when doing the signed certificate import into the security wizard application. The current error message does not help isolate what issues the security wizard has with the custom template-issued certificate, so it is not possible to fix any problems in order to create a valid custom web server template.

This reply was originally posted by Angela on APC forums on 1/13/2014

I will contact you via direct message if that's OK. We have some tools available that we made available for another issue outlined in the knowledge base (Network Management Card 1 (NMC1) Information Bulletin: Effects of Microsoft Windows Critical Update ...)(that are not publicly released yet) and I think they may solve your issue. They should be provided publicly at some point but they just have not gone through an official release process.

What we can offer is the ability to use wild card certificates (if accepted within your organization even though not technically a "great" option) and a tool in order to "mass push" certs to devices.

This reply was originally posted by Angela on APC forums on 4/24/2014

Yes, I will send the link to you via Direct Message here.

This was originally posted on APC forums on 4/29/2014

Thanks Angela,

When I use the tool to create a wild card certificate I keep receiving this message.

I have checked and both my RA and CSR are using *my.domain as the CN. I'm using EJBCA to generate the signed cert.

Invalid Certificate CN.

  Expected: *.my.domain

  Actual: 0 Ÿ0   *†H†ý

This reply was originally posted by Angela on APC forums on 4/29/2014

So are you essentially trying to issue a self signed certificate almost? Like issued by *.mydomain.com to *.mydomain.com (because I don't think that will be allowed)?

If not, I am not sure I am understanding and was wondering if you could provide a screenshot so I could understand better.

This was originally posted on APC forums on 4/29/2014

Thanks for the Reply,

So the DNS to my PDU is ef-dc-pdu1.mydomain.com

1. Within the security tool I select create CSR request I then entering *.mydomain.com as the common name.

2. Then in EJBCA I create an RA request using the common name *.mydomain.com

3. Within EJBCA I sign the certificate which generates a PEM file

4.I use openssl to convert the PEM file to cer\crt

5.I open the security tool to import my signed certificate and choose my original key file

6. When the tool tries combine files I get the error

  Expected: *.my.domain

  Actual: 0 Ÿ0   *†H†ý

Note this same process works fine when I don't use a wildcard and just have ef-dc-pdu1.mydomain.com as the common name.

Perhaps the wildcard should be in a subject alternative name?

This reply was originally posted by Angela on APC forums on 4/29/2014

Can you give me the exact screenshot from step #6? I've never seen that before and you're saying it comes from the APC security wizard?

Also, so I can make sure we're on the same page, EJBCA is your certificate authority and what is "RA?"

This was originally posted on APC forums on 4/30/2014

Subject of my CER file - CN = *.mgt.wotifgroup.com

EJBCA = Open Source PKI Certificate Authority

RA = Registration Authority

"A registration authority (RA) is an authority in a network that verifies user requests for adigital certificateand tells the certificate authority (CA) to issue it."

This reply was originally posted by Angela on APC forums on 4/30/2014

Thank you for the extra detail! I see now.

I don't think you're doing anything wrong. If anything, I think there is a problem perhaps during the conversion or something in the wizard. I assume your CA only offers PEM output and that is why you are using OpenSSL to convert it to .cer/crt which is accepted by the wizard?

Just curious if you can get this to work properly if you use a CA made by the wizard too, just as a test?

Then I go back to the fact that said if you use the CN of your actual PDU (ef-dc-pdu1.mydomain.com), it works fine...

This was originally posted on APC forums on 4/24/2014

HI Angela,

Could you also send this tool to me? I have 25 PDUs to create CSR and certificates for.

Thanks Heaps

This was originally posted on APC forums on 6/29/2015

Hey Angela,

I need to deploy certs to like a 100 UPS`s, is this tool still availible?

This reply was originally posted by Angela on APC forums on 6/29/2015

Yes, I can message a download link to you if you add me as a friend.

This was originally posted on APC forums on 9/10/2015

Hi Angela,

could you send me a copy of these two tools please as well?
Greatly appreciated!
(I can't access your profile because it is private)

This reply was originally posted by Angela on APC forums on 9/11/2015

Hi Benjamin,

Yes, I'll send you a download link. My profile is private since I have recently moved to a new role within Schneider and am not spending as much time on this site as part of my daily duties.

This was originally posted on APC forums on 10/16/2015

Hi, Angela. We need update SSL certificates on 500+ APC NMC (AP961X and AP963X). Could you send me link to your utilities for bulk generate and upload SSL certificates? Thank you!

This was originally posted on APC forums on 1/27/2016

We have a couple dozen NMCs with more on the way.  This tool would be very handy.

This reply was originally posted by Angela on APC forums on 1/28/2016

Hi Cory,

You can obtain these tools from tech support via/phone or email. As mentioned above we can give a special APC Security Wizard tool versopn to make wild card certificates and a tool to mass push SSL certs via FTP.

This was originally posted on APC forums on 3/14/2017

Hello,

can You please also let me have this tool?

It seems, that it works properly with our old firmware NMC-s (AP9630/9631 with sumx version 6.2.0).

However it seems, that the exact same certificate (created by the instructions on mikeshellenberg.wordpress.org) that was working properly with this 6.2.1 is invalid with version v6.4.6. So in the future I think either the configuratino wizzard has to be modified, or the best would be to issue the request (csr) from the firmware, and have the .cer file imported?

Thanks and best regards

Zoltan

This reply was originally posted by Angela on APC forums on 3/15/2017

Hi,

Based on what you're describing, I do not think the tools we have will help unfortunately. We have a tool that allows a user to create a wild card certificate so if you do want to do that to work around the issue you're explaining with your existing certificate and use a wild card SSL certificate instead, then yes, we can provide it.

The issue of the certificate working on 6.2.1 and not working with 6.4.6 though is likely something due to the crypt library upgrade we did on the firmware. Are you using a Microsoft CA to issue these? We have identified a few issues relating to Microsoft issued certificates that either provides a -32 error on security wizard or causes the certificate to get rejected by theNMC itself after the .cer is imported. The special tools we can provide will not fix this problem and we are in the middle of making other updates and fixes that will address it. Part of what I explained is here -> http://www.apc.com/us/en/faqs/FA285378

There are limitations to the methods we can provide customers to create and import SSL certificates based on the inner workings of the crypt library unfortunately. These limitations won't allow for what you said about creating a .csr from the firmware and importing into .cer format. Believe me, I wish it was that easy 

So, if you can clarify what you are going to need the tools mentioned here for, then we can decide if they are likely to help you or not and decide how to move forward.

This was originally posted on APC forums on 4/17/2018

Any chance you could send the tool over my way, need to push out a number of certs to a new office build.

Thanks!

Josh

This was originally posted on APC forums on 3/30/2020

For those of you trying to generate APC certificates with Active Directory Certificate Services, you must use the Web Server template. The principal drawback to this template is that it is limited to 2 years and the template cannot be edited through the management tool. Duplicating the template and regenerating the APC certificate will invoke the dreaded -32 error. After spending two days trying to find a work around, I found a simple way to edit the lifespan. Assuming that you are using AD integrated Enterprise CA, do the following:

1. Using ADSI Edit, Navigate to CN=Services,CN=Public Key Services,CN=Certificate Templates,CN=Configuration,DC={your domain|,DC=com

2. In CN=Web Server, edit pKIExpirationPeriod property. It is in 64 bit FILETIME format. The easiest way to calculate your expiration period is to set it on a modifiable template and then just copy that one over to the Web Server property. In my case, I wanted 10 years which is 00 80 3C 48 D1 CB F4 FF

3. Regenerate your APC certificate and it will have the new expiration date.

I hope this helps. I did not want to have to regenerate a ton of certificates in 2 years.