Error importing cert, code: -32

BillP · ‎2021-07-01

I am trying to import an ssl certificate signed by my enterprise PKI and keep getting the following error when I try to import the signed cert:

Error importing cert, code: -32

I am using the APC Sercurity Wizard Version 1.04 and following the instructions listed here: http://mikeshellenberger.wordpress.com/2010/05/19/issuing-ssl-certificates-to-apc-devices-from-micro...

Has anyone have success getting past this error?

Anonymous user · ‎2021-07-01

As of 1/29/2018, APC has NOT corrected any of the issues detailed above and with wild card certificates on their Network Management Card 2. I used the latest (as of 1/2018) card firmware v6.5.0 and the latest APC Security Wizard 1.04. I opened a ticket with APC. APC support didn't know anything about the special tool that would allow for wild card certificates mentioned above. With the APC Security Wizard 1.04 you can create a self signed certificate using 'CA Root Certificate', then 'SSL Server Certificate' (use a different Common Name). Install the self signed certificate on to the Management Card 2 by going to Configuration | Network | Web | SSL Certificate. The self signed certificate isn't a great work around. Also the web certificate won't work for SSL/TLS encrypted emails. You need to install an additional email certificate and appears self signed certificates won't work here.

APC really need to put some effort into securing their Network Management 2 cards and providing better documentation. At least with the new firmware SNMPv3 is supported.

See Answer In Context

Anonymous user · ‎2021-07-01

hi

I do like to check does it mean that the APC wizard can only support SSL cert. generated from the web server template? I'm trying to create a cert. using my only CA template which is 2048 bit and the cert. is required to be at least 4 years. and keep getting the error 32. Is there any other way of creating a cert. using my own CA template or is there a min. requirement for the CA template that was accepted by the wizard.

I did try create a cert. which is 2048 bit with the web server template which work but fail again when trying to upload it to the device.

I'm using the AP7723 rack ATS.
security wizard tool version 1.04

Thanks in advance .

soong 🙂

BillP · ‎2021-07-01

AP7723 has an older NMC1 inside of it. NMC1 devices only support up to 1024 bits. So, you are trying to upload an unsupported bit size to this device to begin with.

Only NMC2 devices support 1024 or 2048 bit.

our tool supports creating certificate signing requests which then you could provide the certificate signing request to your CA and then import it back via the security wizard.

Anonymous user · ‎2021-07-01

Hi,

thanks for the reply,

I do like to check is there any way i can get the official information that "the 7723 had an old NMC1 card that support only 1024 bit", as i browse through the device spec.

regarding the CA template does it mean that the tools only generate base on the CA web template?

Regards
Soong

BillP · ‎2021-07-01

here is the document that talks about key sizes: http://www.apcmedia.com/salestools/VAVR-5ZJSVU_R2_EN.pdf

i am also not sure what you mean by "regarding the CA template does it mean that the tools only generate base on the CA web template?" - i can tell you what our APC Security Wizard does but I am not sure about your own CA root authority.

Anonymous user · ‎2021-07-01

I operate a (bogus) local root authority and use it with the APC cards. In fact, the lack of support for wildcard certificates (*.example.com) was the original impetus for setting up the local root authority, since I didn't want to pay per card for dozens of cards. Here's the relevant snippets of my internal documentation, sanitized by removing identifying info. Note that it is written in a rather snarky tone, as I was feeling snarky when I wrote it...

For some reason the forum mis-displays the text I pasted, so I'll attach it as a file.

Message was edited by: Terry Kennedy

BillP · ‎2021-07-01

on a case by case basis, we are able to support wild card certificates with a special tool.

Anonymous user · ‎2021-07-01

It would be good if this was noted somewhere - I went through this whole mess here 3.5 years ago...

BillP · ‎2021-07-01

we handle it on a case by case basis. initially a new firmware was created for certain users with thousands of devices but i think the next public revision of the APC security wizard will advertise this. the tool is not public just yet though but I have a copy.

BillP · ‎2021-07-01

this refers to unrecognized data format - this relates to step 5 on the link you provided.

did you see the blurb at the bottom of that web page from the author?

I ran into some strange issues when duplicating the “Web Server” template on my CA and attempting to sign certifcates with it. The CA would sign them successfully but the APC Security Wizard would error out during the import process with an error -32 . I spent a few hours playing with this but was unable to find a solution other then just using the Web Server template.+

BillP · ‎2021-07-01

That did it!

I should have read that blurb a little more closely. It should be noted that the default webserver template does not seem to allow me to add a Subject Alternative Name to the certificate. This would be nice to allow me to access the device using NETBIOS name and FQDN without certificate errors.

Anonymous user · ‎2021-07-01

As of 1/29/2018, APC has NOT corrected any of the issues detailed above and with wild card certificates on their Network Management Card 2. I used the latest (as of 1/2018) card firmware v6.5.0 and the latest APC Security Wizard 1.04. I opened a ticket with APC. APC support didn't know anything about the special tool that would allow for wild card certificates mentioned above. With the APC Security Wizard 1.04 you can create a self signed certificate using 'CA Root Certificate', then 'SSL Server Certificate' (use a different Common Name). Install the self signed certificate on to the Management Card 2 by going to Configuration | Network | Web | SSL Certificate. The self signed certificate isn't a great work around. Also the web certificate won't work for SSL/TLS encrypted emails. You need to install an additional email certificate and appears self signed certificates won't work here.

APC really need to put some effort into securing their Network Management 2 cards and providing better documentation. At least with the new firmware SNMPv3 is supported.