Creating CA signed certificate for NMC2

Anonymous user · ‎2021-06-28

I am attempting to create new certificates for our NMC2 modules that are signed by our CA, instead of the self signed certs.

While attempting to use the NMCSecurityWizard CLI v1.0.1 to create new p15 certificates I encounter the following error.

{

NMCSecurityWizardCLI --import -o apc1out -s apc1.cer -p apc1

NMC Security Wizard Command Line Utility v1.0.1
(c) Copyright 2018 Schneider Electric. All rights reserved.
-----------------------------------------------------------------------------

Unhandled Exception: cryptlib.CryptException: -3: Bad argument, parameter 3
at NMCSecurityWizardCLI.Program.ImportSignedCSR(String sCertFile, String sKeyFile, String sOutFile)
at NMCSecurityWizardCLI.Program.Main(String[] args)

}

I have confirmed that all the file names that are flagged in the above command are correct. It seems to happen no matter what order I put the flags in. I get the same "Bad argument, parameter 3" .

Has anyone seen this error before? If so, any idea how to correct it?

Thanks,

BillP · ‎2021-06-28

Hi Ian,

I've been able to create a certificate with no issue using those exact commands and my lab CA.

Can you try using this slightly older version of security wizard and also disable any real-time or on-access AV or IPS that might be interfering with the wizard. Also confirm that you are using the base64 export from the CA.

https://schneider-electric.box.com/s/b0nbkuzqcc1b8ka0r2sa4xzqljua44vl

-Gavan

See Answer In Context

BillP · ‎2021-06-28

Hi Chris,

This is generally when the SecWiz program doesn't like on of the files that your trying to pass to it, can you follow the steps in the guide below:

https://schneider-electric.box.com/s/wkhf0nwpl40rhmia33hbfuk2j0r7da09

-Gavan

BillP · ‎2021-06-28

I too am seeing the same error and have followed the PDF guide exactly. I am on a Windows Domain also. My SSL certificate is up for renewal on the 30th. Is there anything else I can try? Or can I get access to the old Wizard (pre CLI)?

R:\Certificates (SSL)\UPS\NMCSecurityWizardCLI>NMCSecurityWizardCLI.exe --import -o upsas -s certnew.cer -p upsa

NMC Security Wizard Command Line Utility v1.0.1
(c) Copyright 2018 Schneider Electric. All rights reserved.
-----------------------------------------------------------------------------

Unhandled Exception: cryptlib.CryptException: -3: Bad argument, parameter 3
at NMCSecurityWizardCLI.Program.ImportSignedCSR(String sCertFile, String sKeyFile, String sOutFile)
at NMCSecurityWizardCLI.Program.Main(String[] args)

BillP · ‎2021-06-28

Hi Ian,

You can use the old Security Wizard GUI, however Chrome and Chromium based browsers will still show error messages as the old GUI software doesn't fill in a field that they require.

Could you confirm that you are using an unaltered "Web Server" template with a two year expiry?

Also could you post the exact command used to create the CSR?

-Gavan

BillP · ‎2021-06-28

Hi Gavan.

Somehow I was able to get this to work 2 years ago (even with the legacy software). Anyway, I am using a Web Server certificate with a two year validity period.

Request Handling CSPs:

Microsoft DH Schannel Cryptographic Provider
Microsoft RSA SChannel Cyrptographic Provider

Subject Name:

Supplied in the request
Type of subject Computer or other device

Extensions:

Basic Constraints
Certificate Template Name
Enhanced Key Usage
Key Usage

IzYa0CEUr0D%2FGNgNjtrqZw%3D%3D.png

NMCSecurityWizardCLI.exe --csr -o upsa -c CA -g MFPN -n upsalpha.corp.mfpn.ca -d upsalpha.corp.mfpn.ca -a 10.10.0.50 -e ian@myemail.com

NMCSecurityWizardCLI.exe --import -o upsas -s certnew.cer -p upsa

Thanks,

Ian

BillP · ‎2021-06-28

Hi Ian,

I've been able to create a certificate with no issue using those exact commands and my lab CA.

Can you try using this slightly older version of security wizard and also disable any real-time or on-access AV or IPS that might be interfering with the wizard. Also confirm that you are using the base64 export from the CA.

https://schneider-electric.box.com/s/b0nbkuzqcc1b8ka0r2sa4xzqljua44vl

-Gavan

BillP · ‎2021-06-28

Gavan,

Using the version 1.0.0 it worked first try! It would seem there is something in the newer version which is causing the issue. Thanks for sorting this out for me, and hopefully this helps others having the issue until a fix comes out for the new version.

Cheers,

Ian

Anonymous user · ‎2021-06-28

Gavan,
it's a great day when you wake up and have a solution to a several month long issue.

The older client works like a charm. Suggest you get apc to host it on their download page again because that new one is terrible.

Thanks for the help!

-Chris

Anonymous user · ‎2021-06-28

Hi Guys,

I have exactly the same problem on a number of different UPS's here. I can only find version 1.0.1 of the software and this does not work at when i submit to a Microsoft PKI infrastructure. Is the 1.0.0 version of the software available anywhere to download ?

BillP · ‎2021-06-28

https://schneider-electric.box.com/s/ct021cml940zdj50al4zhocjyczf13v8

-Gavan

Anonymous user · ‎2021-06-28

I'm having trouble uploading the CA cert to the NMC. i have no issues creating the SSL though the wizard and getting though our CA server and uploading it is no problem, but the CA cert that goes under Security > 802.1x > configuration. I'm trying to get the UPS 802.1x compliant. after Upload the CA certificate status remains Unknown.

PetroR · ‎2021-11-10

I have been struggling to get a certificate on several UPSs since the old GUI wizard stopped working. I am looking at this again as I have just set up a new UPS and want to add an SSL certificate.

I am using NMCSecurityWizardCLI.exe v1.0.1 and following the directions from the readme that came with it.

I do get a new .p15 file (once I realised that it would try and overwrite the original key in the .p15 unless I gave it a different name), however it also errors and the resulting p15 file is not importable to the UPS

NMC Security Wizard Command Line Utility v1.0.1
(c) Copyright 2018 Schneider Electric. All rights reserved.
-----------------------------------------------------------------------------

Unhandled Exception: cryptlib.CryptException: -3: Bad argument, parameter 3
at NMCSecurityWizardCLI.Program.ImportSignedCSR(String sCertFile, String sKeyFile, String sOutFile)
at NMCSecurityWizardCLI.Program.Main(String[] args)

I am using the base 64 download to obtain the .cer file from our local CA

I have read in several places that version 1.0.0 works but am unable to find a place to download it and am mystified as to why the version that does not work is all that is available on the downloads pages. This issue seems to have been around long enough

Can anyone tell me where to get either a working version of the utility or a working set of instructions? The links in this post did not work for me

Thanks

Rookie36 · ‎2023-06-02

Can this link be reshared I am having the exact same issue trying to import certs by our CA. I am looking for older version of this utility and link is not working anymore

@BillP just tagging so if you can help me with new link for the older version of NMC

lloydsmart · ‎2023-10-06

Please can this version 1.0.0 be re-shared? I'm having the exact same problem trying to run:

.\NMCSecurityWizardCLI.exe --import -o PROPERCERT -s certnew.cer -p MYCSR

NMC Security Wizard Command Line Utility v1.0.1
(c) Copyright 2018 Schneider Electric. All rights reserved.
-----------------------------------------------------------------------------

Unhandled Exception: cryptlib.CryptException: -3: Bad argument, parameter 3
   at NMCSecurityWizardCLI.Program.ImportSignedCSR(String sCertFile, String sKeyFile, String sOutFile)
   at NMCSecurityWizardCLI.Program.Main(String[] args)

KingDwight · ‎2023-10-11

I am seeing "This shared file or folder link has been removed or is unavailable to you." when clicking on the link you provided. Can you provide a new link to the 1.0.0?

CourtKPrin · ‎2023-10-16

I started a ticket with support to get 1.0.0. It does not do the -3 bad argument exception error like on 1.0.1, but then the UPS gets stuck on "loading certificate..." after uploading the cert. I'm using Windows CA on Windows 2019 and I read it has to do with the RSA.

gustavohellwig · ‎2023-11-14

Hi. How do I have access to version 1.0.0 or 1.0.4, which in this case works? I can't find that.

gustavohellwig · ‎2023-11-14

Can someone share the link for version 1.0.0 or 1.0.4 or another one that works? Than you.

josbot5070 · ‎2023-11-14

I am having this issue and with no way to install the 1.0.0 are we just supposed to use the http? That is not really an acceptable answer

CourtKPrin · ‎2023-11-15

Create a ticket to get 1.0.0.

I am using Windows 2019 as the CA and its hash algorithm is configured with SHA384 and it doesn't work with 1.0.0.

gustavohellwig · ‎2023-11-17

I did, but no feedback yet. Can you send me a link?

I'll use a LetsEncrypt wildcard cert for all my UPSs.

josbot5070 · ‎2023-11-17

CourtKPrin are right I had to create a ticket in order to receive NMCSecurityWizard 1.0.0 and that resolved my issue. I now see the results as:

NMC Security Wizard Command Line Utility v1.0.0
(c) Copyright 2018 Schneider Electric. All rights reserved.
-----------------------------------------------------------------------------
Certificate's Issuer Information:
Common Name: <Whatever info you put for this>

Certificate's Subject Information:
Common Name: <Common Name you selected>
Country: US
Valid From: 11/17/2023 (GMT)
Valid To: 11/16/2024 (GMT)

Certificate's General Information:
Serial Number: <long ##:##:.....>
SHA1 Thumbprint: <long ##:##:.....>

[*] Importing certificate 'cert.p15' has successfully completed.

I have been working with a very nice person named Cholo great person I would highly recommend. He also got me setup on a self signed cert until we worked out the error I was having with NMCSecurityWizard.

MrInOut · ‎2023-12-13

Hi everyone,

could someone provide me the version 1.0.0?

I asked support but did not got anything.

Regards,

Mr. InOut

Rookie36 · ‎2023-12-14

Here it is, I got this almost an year back from support

Rookie36 · ‎2023-12-14

Attaching the version 1 here

MrInOut · ‎2023-12-15

Thanks

morethanthesky · ‎2024-01-30

I had zero luck with the wizards from APC, so finally used Digicert Utility and OpenSSL.

I used digicerts utility to create the CSR from my laptop, which means the private key was from the laptop.

Made the cert template on the CA by duplicating the template for "Web Server" and changed the expiration date to 10 years out (because who wants to do this twice). I downloaded the cert from the /certsrv/ page on the MSFT CA as a Base 64 .cer.

I then opened OpenSSL and exported the key as a PKCS8 with this command line:

openssl genpkey -out C:\rsakey.pem -algorithm RSA -pkeyopt rsa_keygen_bits:2048

Finally after a day of struggling with it, it accepted the cert. But now I have to figure out how to get it to use the cert for the web interface. I imagine it has to do with EAPoL/802.1X Access? What do you put as the "Supplicant Identifier"?

CourtKPrin · ‎2024-06-19

I had posted back in November that, "I am using Windows 2019 as the CA and its hash algorithm is configured with SHA384 and it doesn't work with 1.0.0." I recently recreated our PKI and went to a two tier Windows CA with SHA256. I'm now able to create certs which are accepted by the NMC. This works with AP9631 running 7.1.2 and AP9641 running 2.5.0.6.

I want to add that I was able to create a cert with additional DNS names using an INF file. I was able to append the root and sub chain to the cert before doing the import process. I read that the Web Server default template had to be used, but I confirmed that I was able to make a duplicate and still use it. To get it to show available in certsrv, I created the duplicate, made no changes, saved it, renamed it, changed the compatibility to 2016, and modified the permissions a bit.

Steps:

Create CSR using 1.0.0 utility

NMCSecurityWizardCLI --csr -o <csrfilename> -n <commonname> -c <two-character country> -m <state> -l <city> -g <company> -u <department> -e <supportemail> -i http://<upsfqdn> -d <upshostname>

Create san.inf

[Extensions]
2.5.29.17 = "{text}DNS=<upshostname>&DNS=<upsfqdn>"

Create new CSR

certreq -policy -config "<ca server fqdn>\<ca name>" "<csrfilename>.csr" san.inf "<newfilename>.csr"

Request Certificate

Browse to certsrv, copy and paste contents from <newfilename>.csr, select web server template, submit

Select Base 64 encoded and download cert

Append chain to certificate and save as certnewbundle.cer

Import key into certificate

NMCSecurityWizardCLI --import -o <newcertname> -s certnewbundle.cer -p <keyfile>.p15

Finally, upload <newcertname> to NMC web console

I plan to look at what others have done using alternative tools, because I want the renewal automated since the certs expire yearly.