Can CA signed certs be added to an ATS (AP7723) device?

Anonymous user · ‎2021-06-30

We're generating CSR's and private key's using NMC Security.
The CSR's are being sent to our in-house Microsoft CA.
The CA signed cert and the original private key from the CSR generation are imported using NMC Security.
Attempting to upload and apply the certificate returns "no certificate installed".

Model Number: AP7723

Version: v3.9.2

BillP · ‎2021-06-30

Hi Robert,

You should be using the "Webserver" template if using a Windows CA, so server authentication. This is probably not the issues, the NMC1 is very outdated and probably won't support the signing algorithm used by your CA.

Also of note is the NMC1 only supports up to SSLv3, no modern browser will support this as standard.

-Gavan

See Answer In Context

BillP · ‎2021-06-30

Are you using the security wizard GUI or CLI?

Also note that the AP7723 is based on the much older NMC1 platform, it's possible that the cert provided by your CA is not compatible with the device.

-Gavan

Anonymous user · ‎2021-06-30

I've tried using both--NMC Security Wizard Command Line Utility v1.0.0 and version 1.04 of the APC Security Wizard.

I submit my CSR generated from the CLI to our Microsoft based CA for signature.

The selections available for the Web profile template CSR submission include Server authentication, extended-key usage; or both server and client authentication extended-key usage.

The signed certificate type returned through the CA portal is p10.

The signed certificate can be saved in PEM(base64) or DER(binary) format.

Also available, the signed certificate can be exported in PKCS#12, PKCS#7, JKS, PEM, or DER formats. With this option, certificates in the certification path can be exported. The private key can also be exported here, optionally.

I've downloaded the signed certificate in all formats and then using NMC Security Wizard CLI v1.0.0, successfully imported the certificate, using the .csr and .p15 (key) files generated from the CSR submission steps.

Attempting to add the new .p15 file created with the import command to the ATS device, results in one of the following:

1. No certificate is displayed in the gui, after browsing and selecting the certificate file to be imported.

2. The new CA cert isn't loaded and the factory certificate remains persistent.

3. Browser returns "Unexpected multipart form data. Return to" page.

BillP · ‎2021-06-30

Hi Robert,

Certificates created by the SecWizCLI aren't supported on devices of that age. Try using the older GUI version below:

https://schneider-electric.box.com/s/18wzhi34r2c3ehrhhgw0o9jvd3pjvghj

If you upload the response from your CA to here I can have a look and see if its compatible with the NMC1:

https://schneider-electric.box.com/s/1uwm4i4k3f7p1ft3suyzq1vtg4rf5i17

-Gavan

Anonymous user · ‎2021-06-30

Gavan,

I'm able to access the site, but I'm getting an error, "This shared file or folder link has been removed or is unavailable to you."

BillP · ‎2021-06-30

https://schneider-electric.box.com/s/18wzhi34r2c3ehrhhgw0o9jvd3pjvghj

https://schneider-electric.app.box.com/f/9eb2a0a65ead4f40991eada42446358d

Anonymous user · ‎2021-06-30

Hi Gavan,

What are the CSR profile template requirements for these devices? I'm getting errors submitting a CSR for the Web profile with Client authentication and for a profile with Server and Client authentication.

Thank you

BillP · ‎2021-06-30

Hi Robert,

You should be using the "Webserver" template if using a Windows CA, so server authentication. This is probably not the issues, the NMC1 is very outdated and probably won't support the signing algorithm used by your CA.

Also of note is the NMC1 only supports up to SSLv3, no modern browser will support this as standard.

-Gavan

Can CA signed certs be added to an ATS (AP7723) device?

Can CA signed certs be added to an ATS (AP7723) device?

This is a heading