Import certificate to NMC without key file in P15 format?

Anonymous user · ‎2021-06-30

I have a number of AP961x management cards (around a dozen) in various pieces of equipment. I also have a valid multi-host wildcard SSL certificate for my domain. The private key and CSR for the wildcard certificate were generated on a Unix system, and I have had no problems installing it on any systems or devices other than the APC management cards.

I have tried to use the APC Security Wizard (version 1.03) to import the certificate, but it insists on the private key being a .p15 file.

I have never encountered the PKCS 15 format elsewhere, and have been unable to locate any utility that would convert a "normal" private key (that begins with "-----BEGIN RSA PRIVATE KEY-----") into the .p15 format.

Even if I was willing to spend the large sum of money for a second multi-host wildcard SSL certificate for the same domain as the one I already have, the APC Security Wizard won't accept *.example.com in the Common Name field when trying to generate a Certificate Signing Request - it pops up an error box saying "Do not use special charactures (sic) such as !, @, #, &, space etc..."

Does anyone have any suggestions as to how to proceed?

Anonymous user · ‎2021-06-30

I found that SSL on the 9619 and below isn't as miserably slow if you disable 3DES, which is the slowest SSL algorithm by far; RC4 is plenty of security. I'm quite surprised that even with the latest firmware AES isn't supported though, that's twice as fast as 3DES and more secure.

And yes, I consider it a major time wasting bug that the APC security wizard never states that 2048 bit keys aren't compatible with 9617/8/9.

Message was edited by: foxyshadis

See Answer In Context

Anonymous user · ‎2021-06-30

I believe I read that manual at some time in the past, but I just reviewed it again. It only talks about a private key in p15 format, and the only program I've ever seen that creates those is the APC Security Wizard. And it won't allow wildcards, as I mentioned in my previous post.

Of course, I may be missing something - if so, feel free to point it out.

Thanks,
Terry

BillP · ‎2021-06-30

i am not an expert on this but have you seen [this guide|http://www.apcmedia.com/salestools/ASTE-6Z5QF2_R2_EN.pdf] at all? I jumped to page 24..

scerazy_apc · ‎2021-06-30

Has anything changed in a year?

And what is the b****y b15 format?

And if wildcard is still impossible to use, how does one issue certificate by own CA (Novell eDirectory)?

Seb

BillP · ‎2021-06-30

no. .p15 is the requirement for the NMC and i don't see it changing. you can download the APC security wizard from apc.com.

there are instructions in the guide I linked to above that explains how to use the wizard with third party CAs and how to create the SSL certificate from that. it is definitely doable, but it just involves using the APC security wizard.

definitely take a look at the guide for step by step instructions but if you have already, let me know what steps are not clear.

thanks.

scerazy_apc · ‎2021-06-30

I can generate CSR using the Wizard & issue certificate based on this CRS by my CA, but at no point I can have private key & certainly NOT in p15 format during such process

This entry:

http://slvrfxms.wordpress.com/2010/05/19/issuing-ssl-certificates-to-apc-devices-from-microsoft-pki/

gives description how to do it with AD CA, I have to check tomorrow, but I think it will be almost identical with Novell eDirectory CA

If there was a way to "convert" wildcard certificate (for which I have .crt & .pem) then it would be even nicer

Seb

Message was edited by: scerazy

BillP · ‎2021-06-30

yes, it will be the same. you create the key when you do the CSR - the output is the CSR file as well as a .p15 key. when you import it later, you browse for that .p15 key you created.

scerazy_apc · ‎2021-06-30

And the end result is... it does not work

The final created certificate signed by my CA is 3,681 bytes & it will NOT get uploaded to the card

I also tested to create certificate ONLY in the Wizard (CA certificate, then SSL server certificate)

The resulting file is the same size & also will NOT upload to the card

Status: Certificate not installed.

So to make it work I had to create CRS with key size 1024 ONLY, then the resulting file was 2,776 bytes & that uploaded fine

And then I can NOT enable https, as it does not render correctly in ANY browser (IE8, Safari 5, FF 3.6.8)
It comes to the Accept Terms, which seems to be over the SSH entry & clicking it actually clicks the SSH entry (total MESSS)

Had to use SSH for enabling SSL, it allowed to do it, but after reboo the web management is SLOOOOWWWWW with SSL enabled, almost unusable!

Had to turn it OFF (waster few hours in a process)

If you ask me it is the most weird way of doing standard SIMPLE things!!!

Seb

BillP · ‎2021-06-30

this must be an NMC1 - AP9617, AP9618, AP9619, based on what you're describing. I am guessing AP9619 based on the distortion you saw on the screen.

the new NMC2 devices - AP9630, AP9631 - have a separate security co-processor to do all of the encryption, etc where you will see absolutely no speed difference, so APC has made the product better. i think the size limitation for the cert is still there though - 3MB or less I think.

scerazy_apc · ‎2021-06-30

Correct, AP9619, totally unusable with SSL

Yes, it seems that the limit is 3 K (not 3 M)

Some info on p15 format (it is PKCS15 format):

http://www.cs.auckland.ac.nz/~pgut001/cryptlib/

http://www.experts-exchange.com/Security/Encryption/Q_24340807.html

ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-15/pkcs15Conformance.pdf

Seb

Message was edited by: scerazy

Anonymous user · ‎2021-06-30

I found that SSL on the 9619 and below isn't as miserably slow if you disable 3DES, which is the slowest SSL algorithm by far; RC4 is plenty of security. I'm quite surprised that even with the latest firmware AES isn't supported though, that's twice as fast as 3DES and more secure.

And yes, I consider it a major time wasting bug that the APC security wizard never states that 2048 bit keys aren't compatible with 9617/8/9.

Message was edited by: foxyshadis