Bulk / Command Line Options for Generating CSRs and Certificates for UPS Network Management Cards?

OK, I sent it, let me know if you don't see it in your direct messages on here.

In order to secure web traffic to our UPS units we would like to use HTTPS. As we have a corporate Microsoft PKI, we would like to issue our own certificates instead of using self-signed ones.

Via the NMC Security Wizard application we are able to generate CSRs for the UPS network management cards that we have inserted into our Smart UPS units. By submitting these against the default "WebServer" Microsoft PKI certificate template, we can use our corporately-issued certificates with the UPS NMCs. The problem is that this is a very manual process. If we only had a couple of networked UPS units then it wouldn't be that big a deal, but we have many UPS units deployed to many locations.

How can we automate the CSR creation process? It would not be difficult to create a CSV containing the information for each CSR. Once CSRs and key files were output we could bulk submit to our corporate PKI via command line tools.

How can we also then automate the final import of the PKI-issued certificates into the Security Wizard? Again, it would not be hard to make a CSV with the relevant fields populated, but the application would need to support bulk processing via CSV or another method.

Uploading the final "Security Wizard-processed" certificate to the UPS NMC is always going to be a manual process, but we could at least live with that if we didn't have 3x the tedium by manually creating the CSRs and later manually importing the issued certificates into the Security Wizard.

The Microsoft default "WebServer" template is only good for 2 years and the NMCs don't appear to like custom web server templates from what we've actually witnessed and also from people's accounts on the internet. We're therefore going to be stuck doing this every 2 years, so the more automated a process it could be, the better.

Please advise if it is possible to bulk issue CSRs and process the resulting issued certificates, and if not, when that feature will be available. It would also be very useful for APC to supply Microsoft PKI template guidelines for that end users / companies could use create their own templates supporting expiration dates further than only 2 years out. Any attempt to use a custom web server template seems to result in an error "-32" failure when doing the signed certificate import into the security wizard application. The current error message does not help isolate what issues the security wizard has with the custom template-issued certificate, so it is not possible to fix any problems in order to create a valid custom web server template.

I will contact you via direct message if that's OK. We have some tools available that we made available for another issue outlined in the knowledge base (Network Management Card 1 (NMC1) Information Bulletin: Effects of Microsoft Windows Critical Update ...)(that are not publicly released yet) and I think they may solve your issue. They should be provided publicly at some point but they just have not gone through an official release process.

What we can offer is the ability to use wild card certificates (if accepted within your organization even though not technically a "great" option) and a tool in order to "mass push" certs to devices.

Yes, I will send the link to you via Direct Message here.

So are you essentially trying to issue a self signed certificate almost? Like issued by *.mydomain.com to *.mydomain.com (because I don't think that will be allowed)?

If not, I am not sure I am understanding and was wondering if you could provide a screenshot so I could understand better.

Can you give me the exact screenshot from step #6? I've never seen that before and you're saying it comes from the APC security wizard?

Also, so I can make sure we're on the same page, EJBCA is your certificate authority and what is "RA?"

Thank you for the extra detail! I see now.

I don't think you're doing anything wrong. If anything, I think there is a problem perhaps during the conversion or something in the wizard. I assume your CA only offers PEM output and that is why you are using OpenSSL to convert it to .cer/crt which is accepted by the wizard?

Just curious if you can get this to work properly if you use a CA made by the wizard too, just as a test?

Then I go back to the fact that said if you use the CN of your actual PDU (ef-dc-pdu1.mydomain.com), it works fine...

Yes, I can message a download link to you if you add me as a friend.

Hi Angela,

could you send me a copy of these two tools please as well?
Greatly appreciated!
(I can't access your profile because it is private)

Hi Benjamin,

Yes, I'll send you a download link. My profile is private since I have recently moved to a new role within Schneider and am not spending as much time on this site as part of my daily duties.

Hi Cory,

You can obtain these tools from tech support via/phone or email. As mentioned above we can give a special APC Security Wizard tool versopn to make wild card certificates and a tool to mass push SSL certs via FTP.

Hi,

Based on what you're describing, I do not think the tools we have will help unfortunately. We have a tool that allows a user to create a wild card certificate so if you do want to do that to work around the issue you're explaining with your existing certificate and use a wild card SSL certificate instead, then yes, we can provide it.

The issue of the certificate working on 6.2.1 and not working with 6.4.6 though is likely something due to the crypt library upgrade we did on the firmware. Are you using a Microsoft CA to issue these? We have identified a few issues relating to Microsoft issued certificates that either provides a -32 error on security wizard or causes the certificate to get rejected by theNMC itself after the .cer is imported. The special tools we can provide will not fix this problem and we are in the middle of making other updates and fixes that will address it. Part of what I explained is here -> http://www.apc.com/us/en/faqs/FA285378

There are limitations to the methods we can provide customers to create and import SSL certificates based on the inner workings of the crypt library unfortunately. These limitations won't allow for what you said about creating a .csr from the firmware and importing into .cer format. Believe me, I wish it was that easy 

So, if you can clarify what you are going to need the tools mentioned here for, then we can decide if they are likely to help you or not and decide how to move forward.