Enterprise Certificates And Format

IESSysAdmin · ‎2025-01-15

I am trying to create a valid certificate for my NMC3 (AP9641). Using the Configuration > Security > SSL Certificates page, I updated my CA certificate as a .cer. The site says it is a valid certificate. I made a web certificate with the HOSTNAME as the CN and the FQDN name for the CN. I updated it to the NMC and it says the certificate is invalid. I removed the Self Signed Certificate for APC and reloaded so it used the issued Web Certificate from the CA. I have the CA installed on my machine. When I go to access the NMC it gives me one of 2 errors. ERR:COMMON_NAME_INVALID or ERR:CA_AUTHORITY_INVALID. The certificate that I can see from the NMC shows the cert from the CA but does not show the CA in the Hierarchy.

Am I missing something when creating the certificate and issuing it or accessing it? I am trying to make it a trusted certificate when accessing the NMC.

KarimEissa · ‎2025-02-17

Hello,

Use the NMC Security Wizard CLI utility to create a CA certificate and a server certificate (Method 2)
Use the NMC Security Wizard CLI utility to create two digital certificates:
• CA root certificate (Certificate Authority root certificate) that the NMC Security Wizard CLI utility uses to
sign all server certificates and which you then install into the certificate store (cache) of the browser of
each user who needs access to the Management Card or device.
• A server certificate that you upload to the Management Card or device. When the NMC Security Wizard
CLI utility creates a server certificate, it uses the CA root certificate to sign the server certificate.
The Web browser authenticates the Management Card or device sending or requesting data:
• To identify the Management Card or device, the browser uses the Common Name or Subject Alt Name
(IP address or DNS name of the Management Card or device) that was specified in the server
certificate’s distinguished name when the certificate was created.
• To confirm that the server certificate is signed by a “trusted” signing authority, the browser compares the
signature of the server certificate with the signature in the root certificate cached in the browser. An
expiration date confirms whether the server certificate is current.

Because the certificates do not have the digital signature of a commercial Certificate Authority, you must load a root certificate individually into the certificate store (cache) of each user’s browser. (Browser manufacturers
already provide root certificates for commercial Certificate Authorities in the certificate store within the browser

There are various method to create CA certificates, you can use method 3 as listed in Page 13 in the below link

https://download.schneider-electric.com/files?p_Doc_Ref=SPD_CCON-BDYD7K_EN&p_enDocType=Quick+start+g...

I had attached some guides that explain the SSL certificates creation

Regards,

Karim

See Answer In Context

KarimEissa · ‎2025-02-17

Hello,

Use the NMC Security Wizard CLI utility to create a CA certificate and a server certificate (Method 2)
Use the NMC Security Wizard CLI utility to create two digital certificates:
• CA root certificate (Certificate Authority root certificate) that the NMC Security Wizard CLI utility uses to
sign all server certificates and which you then install into the certificate store (cache) of the browser of
each user who needs access to the Management Card or device.
• A server certificate that you upload to the Management Card or device. When the NMC Security Wizard
CLI utility creates a server certificate, it uses the CA root certificate to sign the server certificate.
The Web browser authenticates the Management Card or device sending or requesting data:
• To identify the Management Card or device, the browser uses the Common Name or Subject Alt Name
(IP address or DNS name of the Management Card or device) that was specified in the server
certificate’s distinguished name when the certificate was created.
• To confirm that the server certificate is signed by a “trusted” signing authority, the browser compares the
signature of the server certificate with the signature in the root certificate cached in the browser. An
expiration date confirms whether the server certificate is current.

Because the certificates do not have the digital signature of a commercial Certificate Authority, you must load a root certificate individually into the certificate store (cache) of each user’s browser. (Browser manufacturers
already provide root certificates for commercial Certificate Authorities in the certificate store within the browser

There are various method to create CA certificates, you can use method 3 as listed in Page 13 in the below link

https://download.schneider-electric.com/files?p_Doc_Ref=SPD_CCON-BDYD7K_EN&p_enDocType=Quick+start+g...

I had attached some guides that explain the SSL certificates creation

Regards,

Karim