Issuing and uploading Windows PKI Issued SSL Certificate to Smart-UPS

Alexg · ‎2022-11-07

Hello All. I've recently deployed three Smart-UPS 2200 with NMC3 to a site. For the life of me I cannot get the NMC3 to accept the uploaded certificate. Using NMC CLI tool, I am successfully able to combine the CRT file with the private key into its own .p15 file. I upload that file into the browser and hit apply, and about 6 seconds later the page can no longer be resolved. Luckily I had enabled HTTP so I could go in and remove the last SSL certificate uploaded.

I've found a few posts here and there and tried to piece everything together, but not only would it benefit me, it'd benefit others if we have clear instructions for Windows PKI. Here are the steps I am following:

On a non-domain joined computer (VPN connectivity to AD network) I have the NMCSecurityWizard.exe (v100) available in a directory. Using Command Prompt, I change directory to the folder that holds the exe. I issue the following:

The below generates a private key and CSR.

1. NMCSecurityWizard.exe --csr -o ups01 -n ups01 -c US -m NY -l "New York City" -g "Some, Inc." -u "IT Dept" -i https://ups01.domain.com -d ups01.domain.com -k 1024

I rename the private key (.p15) to ups01key.p15

2. Copy/Paste contents of ups01.csr to Windows ADCS Web Enrollment Server. (Base64 certificate request - Web Server (default) template)

3. Download certificate in base64 encoded format which downloads it to .CER file. Rename it to .CRT. Verify no whitespace before ----BEGIN CERTIFICATE----.

4. Copy certificate (ups01.crt) to directory where NMCSecurityWizard.exe is located. Run the following to combine with key:

5. NMCSecurityWizard.exe --import -o ups01completecert -s ups01.crt -p ups01key

This creates ups01completecert.p15

6. Sign into web UI of UPS and navigate to Config > Network > Web > SSL Cert.

7. Upload ups01completecert.p15 and click 'Apply'

Step 7 is where everything goes wrong. I'm using a default Web Server template which is the only dang template that will work (what's that all about) anyways. Anyone have any advice?

Alexg · ‎2022-11-08

Another interesting thing to note is that I tried using the APC Security Wizard to generate the CSR, and then combine the certificate and private key. Same issue.

Alexg · ‎2022-11-08

I just chatted in with Support and word for word they said "even if it is a valid certificate, NMC can only be accessed through HTTPS through the generic APC certificate"....what?

Alexg · ‎2022-11-13

I found a solution, I'll post it here tomorrow. It's so ridiculous that such an archaic template must be used (original Web Server) and even duplicating it just to rename will cause issues.