NMC2 Does Not Support RSA512 Certificates Using NMCSecurityWizardCLI

IESSysAdmin · ‎2023-02-28

I have been Googling like crazy as well as talking to technical support to get information on why when using the NMCSecurityWizardCLI. I was using 1.0.1 as well as 1.0.4. Finally had to contact support to access 1.0.0. Here is what I found.

1.0.0 - Works correctly as it should.

1.0.1 - Breaks when trying to --import a certificate. Something is wrong with the csl32.dll.

1.0.4 - It does work but it doesn't include access to SAN objects of which many needs.

So even after using 1.0.0 and creating a correct .p15 certificate when I try to import into the NMC2 I have on my 8K UPS. The Model is AP9537SUM which is also equivalent to the AP9630/AP9631. When I do the import just as many posts on the Internet show is that the certificate shows "Loading Certificate" forever.

After doing a lot of troubleshooting with support we found the issue is the Signature Algorithm on my domain. I am running a Windows Server 2019 domain with a CA and my CA has a 512RSA algorithm enforced. Because of this the import is not working. The NMC2 and NMC3 only supports 256RSA algorithm according to support. I would have to downgrade the security algorithm of my domain to establish a certificate for this device.

I believe this the issue everyone has been having for the past many years. If you found a way around this let me know. We don't use OpenSSL and will not install it. We are also running this on an offline network so Internet Access is not usable either.

3r1c_B4bc0ck · ‎2023-06-08

We are seeing this same issue with our NetBotz 250. Is there any guidance on support for sha512RSA, and if the NetBotz 250 will support it?

Our NetBotz 250 has the following:

NMC AP9538

Module v6.8.0

AOS v6.8.2

APC Bootmon v1.0.9

IESSysAdmin · ‎2023-06-08

After talking with Support they told me they have no plans at this time to raise the encryption level or to become FIPS 140-2 compliant.

3r1c_B4bc0ck · ‎2023-06-08

Do you have any of that communication that you could provide here? Emails or anything?

Have you done anything since to resolve your issue? Different Hardware/Vendor that does support it?

IESSysAdmin · ‎2023-06-09

Here is the E-Mail I was sent from APC

Date: 2023-03-06

As per the response from the resolving group, currently, no NMC generation is tested to FIPS
compliance. With the NMC2 being discontinued & only critical bug fixes until the product is sunset, we are not
hearing any plans to add FIPS compliance to this platform. As for the NMC3, there was an open feature request
for this, however, there is no ETA that we can provide at the moment.
Thank you,
Schneider Electric | North America | Technical Support
Phone: +1-800-800-4272
Site: www.schneider-electric.com

Also Here is the conversation about troubleshooting the NMC3 and importing a certificate from the CA.

IESSysAdmin (2/28/2023, 2:58:21 PM): I do have some questions about the security functions of this card as well if you can help with that
APC Support (2/28/2023, 3:00:31 PM): still working on it.
IESSysAdmin (2/28/2023, 3:00:40 PM): ok
IESSysAdmin (2/28/2023, 3:00:43 PM): ojk
APC Support (2/28/2023, 3:00:44 PM): sure no problem.
IESSysAdmin (2/28/2023, 3:03:59 PM): Are passwords on this device stored using cryptographic representations?
IESSysAdmin (2/28/2023, 3:04:04 PM): No in plain tenst?
IESSysAdmin (2/28/2023, 3:04:07 PM): Plain Text*
APC Support (2/28/2023, 3:06:35 PM): do you have dropbox account?
IESSysAdmin (2/28/2023, 3:07:53 PM): I got into CLI security version 100 fildr but it is empty
IESSysAdmin (2/28/2023, 3:08:33 PM): I go the 1.0.0 verion
APC Support (2/28/2023, 3:08:44 PM): Got you.
IESSysAdmin (2/28/2023, 3:08:58 PM): Going to attempt to run this one
IESSysAdmin (2/28/2023, 3:08:59 PM): So
APC Support (2/28/2023, 3:09:04 PM): you may go ahead and try it.
IESSysAdmin (2/28/2023, 3:09:05 PM): Can you answer my password question?
APC Support (2/28/2023, 3:10:32 PM): using cryptographic representations
IESSysAdmin (2/28/2023, 3:12:04 PM): Does it transmit encrypted representation of passwords to authentication servers like RADIUS or TACACS?
APC Support (2/28/2023, 3:12:44 PM): yes that is correct thru radius.
IESSysAdmin (2/28/2023, 3:15:26 PM): Does the device user FIPS 140-2 approved algorithms for authentication to a cryptographic module?
APC Support (2/28/2023, 3:19:15 PM): let me check my resources
IESSysAdmin (2/28/2023, 3:22:20 PM): Ok Great
IESSysAdmin (2/28/2023, 3:27:05 PM): For the NMCSecurityWizard it keep telling me I have bad arguments for Parameter 3 and 4
APC Support (2/28/2023, 3:27:30 PM): noted let me go ahead and check it.
IESSysAdmin (2/28/2023, 3:30:43 PM): Ok I think i found teh correct parameter
IESSysAdmin (2/28/2023, 3:30:45 PM): still trying it
APC Support (2/28/2023, 3:31:17 PM): What is the current version of your device firmware?
IESSysAdmin (2/28/2023, 3:32:47 PM): 7.0.8
APC Support (2/28/2023, 3:33:11 PM): what is the model no and serial no of the unit?
IESSysAdmin (2/28/2023, 3:33:40 PM): the UPS or the NMC?
APC Support (2/28/2023, 3:33:55 PM): the ups.
APC Support (2/28/2023, 3:34:04 PM): Are you trying to create your own certificate?
IESSysAdmin (2/28/2023, 3:34:10 PM): Model: XXXXXXXXXXXXX
IESSysAdmin (2/28/2023, 3:34:12 PM): Serial
IESSysAdmin (2/28/2023, 3:34:18 PM): XXXXXXXXXXXXXXXXX
IESSysAdmin (2/28/2023, 3:34:22 PM): XXXXXXXXXXXXXXXXX
APC Support (2/28/2023, 3:37:24 PM): Thank you.
APC Support (2/28/2023, 3:37:37 PM): Just to confirm are you trying to create you own certificate?
IESSysAdmin (2/28/2023, 3:37:42 PM): yes
IESSysAdmin (2/28/2023, 3:37:45 PM): I am on the last steup of import
IESSysAdmin (2/28/2023, 3:37:47 PM): standby
APC Support (2/28/2023, 3:38:13 PM): Sure no problem.
IESSysAdmin (2/28/2023, 3:38:15 PM): Thanks
IESSysAdmin (2/28/2023, 3:39:04 PM): Ok so I imported it and current status is "Loading Certificate"
APC Support (2/28/2023, 3:39:18 PM): I see, thanks for your update.
IESSysAdmin (2/28/2023, 3:42:48 PM): it is still stuck at Loading Certificate
IESSysAdmin (2/28/2023, 3:43:27 PM): Does it ever change?
IESSysAdmin (2/28/2023, 3:44:15 PM): I did a 2048 key
IESSysAdmin (2/28/2023, 3:44:19 PM): shoudl I have done a 1024 key?
APC Support (2/28/2023, 3:45:31 PM): While you can generate a 1024-bit key, it is highly recommended you generate a 2048-bit key,
which provides complex encryption and a higher level of security.
IESSysAdmin (2/28/2023, 3:45:46 PM): Ok How long will it take to "Load" the certificate?
APC Support (2/28/2023, 3:47:50 PM): it might take 10 to 15 mins.
IESSysAdmin (2/28/2023, 3:47:55 PM): ok I will wait
IESSysAdmin (2/28/2023, 3:48:03 PM): Any update on teh FIPS 140-2 question?
APC Support (2/28/2023, 3:53:11 PM): still working, but I don't think you can use FIPS
IESSysAdmin (2/28/2023, 3:53:19 PM): It snot if I can or not
IESSysAdmin (2/28/2023, 3:53:23 PM): Its if the device complys
APC Support (2/28/2023, 3:58:02 PM): our device is not compliant with FIPS 140-2.
IESSysAdmin (2/28/2023, 3:58:37 PM): Is SSH on the device V2?
APC Support (2/28/2023, 3:59:16 PM): Yes that is correct.
IESSysAdmin (2/28/2023, 3:59:57 PM): Awesome
APC Support (2/28/2023, 4:00:06 PM): V2 you mean version 2 is that correct?
IESSysAdmin (2/28/2023, 4:00:27 PM): Correct
APC Support (2/28/2023, 4:02:34 PM): Is there anything else that I can further assist you with today?
IESSysAdmin (2/28/2023, 4:02:34 PM): Still saying Loading Certififcate
APC Support (2/28/2023, 4:02:42 PM): can you try to restart it?
IESSysAdmin (2/28/2023, 4:02:50 PM): Sure one sec
IESSysAdmin (2/28/2023, 4:03:02 PM): Rebooting...
APC Support (2/28/2023, 4:04:21 PM): Alright, thanks for the update
IESSysAdmin (2/28/2023, 4:05:03 PM): Checking the certificate. It loading the APC certificate and not my certificate
APC Support (2/28/2023, 4:07:33 PM): I see, did you already tried to restart it?
IESSysAdmin (2/28/2023, 4:07:49 PM): yes
APC Support (2/28/2023, 4:09:45 PM): what is the name of the third party cert that you're using?
IESSysAdmin (2/28/2023, 4:12:23 PM): Name?
IESSysAdmin (2/28/2023, 4:12:27 PM): Like the file?
APC Support (2/28/2023, 4:13:36 PM): Can you send us a screenshot?
IESSysAdmin (2/28/2023, 4:13:45 PM): Of what?
IESSysAdmin (2/28/2023, 4:14:03 PM): my CSR was PowerUPS.csr
IESSysAdmin (2/28/2023, 4:14:12 PM): and it created a PowerUPS.p15
IESSysAdmin (2/28/2023, 4:14:27 PM): Got my certificate from my CA
IESSysAdmin (2/28/2023, 4:14:36 PM): File is PowerUPS.cer
IESSysAdmin (2/28/2023, 4:14:47 PM): When i did the --import it made a PowerUPSCert.p15
IESSysAdmin (2/28/2023, 4:15:02 PM): NMCSecrutiyWizard says that it was created successfully
APC Support (2/28/2023, 4:18:30 PM): I just want to confirmed that you use the method 3 from the handbook security wizard is that correct?
IESSysAdmin (2/28/2023, 4:19:34 PM): yes
IESSysAdmin (2/28/2023, 4:19:38 PM): created a CSR
IESSysAdmin (2/28/2023, 4:19:41 PM): imported into my CSR
IESSysAdmin (2/28/2023, 4:19:51 PM): used NMCSecurityWizard to make the certificate
APC Support (2/28/2023, 4:20:52 PM): Use the NMC Security Wizard CLI utility to create a request (a .csr file) to send to a Certificate Authority.
The Certificate Authority returns a signed certificate (a .crt file or .cer file typically) based on information
you submitted in your request. You then use the NMC Security Wizard CLI utility to create a server
certificate (a .p15 file) that includes the signature from the root certificate returned by the Certificate
Authority. Upload the server certificate to the Management Card or device.
IESSysAdmin (2/28/2023, 4:21:10 PM): yes
IESSysAdmin (2/28/2023, 4:21:13 PM): should I try one more?
APC Support (2/28/2023, 4:21:37 PM): yes please.
IESSysAdmin (2/28/2023, 4:23:44 PM): Trying again stnadby
APC Support (2/28/2023, 4:25:26 PM): Sure take you, thank you.
IESSysAdmin (2/28/2023, 4:25:33 PM): Almost done
IESSysAdmin (2/28/2023, 4:25:44 PM): Oh says it was created successfully
IESSysAdmin (2/28/2023, 4:25:49 PM): trying the import
APC Support (2/28/2023, 4:26:41 PM): Thanks for the update
IESSysAdmin (2/28/2023, 4:28:12 PM): Loading certificate....
IESSysAdmin (2/28/2023, 4:30:27 PM): So now I have to wait 10-15 minutes?
APC Support (2/28/2023, 4:30:50 PM): yes , is it still loading?
IESSysAdmin (2/28/2023, 4:31:05 PM): yes
APC Support (2/28/2023, 4:33:08 PM): Thanks, let just wait then.
IESSysAdmin (2/28/2023, 4:33:16 PM): ok
IESSysAdmin (2/28/2023, 4:37:41 PM): Whiel we wait
APC Support (2/28/2023, 4:39:10 PM): Still waiting.
IESSysAdmin (2/28/2023, 4:39:30 PM): Still Says "Loading Certificate"
APC Support (2/28/2023, 4:39:47 PM): can you send me a screenshot of it?
IESSysAdmin (2/28/2023, 4:40:00 PM): of it saying "Loading Certificate?
APC Support (2/28/2023, 4:40:06 PM): yes please
IESSysAdmin (2/28/2023, 4:40:48 PM): ons ec
APC Support (2/28/2023, 4:48:03 PM): Thank you , can you restart the restart the network card now?
IESSysAdmin (2/28/2023, 4:48:17 PM): Ok Resetarting...
IESSysAdmin (2/28/2023, 4:51:43 PM): it reloaded the APC certigicate
IESSysAdmin (2/28/2023, 4:51:49 PM): why will it not accept mine?
APC Support (2/28/2023, 4:52:27 PM): you mean it does not accept the cert the you uploaded is that correct?
IESSysAdmin (2/28/2023, 4:52:39 PM): yes. it keeps loading the APC cert
APC Support (2/28/2023, 4:57:25 PM): what is the third party certificate that you use?
IESSysAdmin (2/28/2023, 4:58:13 PM): Third party certificatE? Its a certificate made by my Domain CA
IESSysAdmin (2/28/2023, 4:58:21 PM): its a webserver certificate
APC Support (2/28/2023, 5:00:53 PM): I see got you.
APC Support (2/28/2023, 5:01:34 PM): I still checking and see what is going on why it showing it still loading even though you successfully uploaded it right.
IESSysAdmin (2/28/2023, 5:01:49 PM): Thanks
APC Support (2/28/2023, 5:14:17 PM): what was the certificate's signature algorithm that you use?
IESSysAdmin (2/28/2023, 5:14:49 PM): SHA512RSA
IESSysAdmin (2/28/2023, 5:15:04 PM): Also should the Device have 6.5.0 or 7.0.8 ?
IESSysAdmin (2/28/2023, 5:15:17 PM): Considering its a XXXXXXXX
APC Support (2/28/2023, 5:15:34 PM): 7.0.8 is fine because its the most updated firmware.
IESSysAdmin (2/28/2023, 5:15:46 PM): Ok jsut checking
APC Support (2/28/2023, 5:16:33 PM): Our NMC officially support sha256RSA only.
IESSysAdmin (2/28/2023, 5:16:44 PM): hmmmm ok
IESSysAdmin (2/28/2023, 5:16:55 PM): how do I set it to change taht support
IESSysAdmin (2/28/2023, 5:16:56 PM): hmm
APC Support (2/28/2023, 5:18:41 PM): You have to check with your certificate authority.
IESSysAdmin (2/28/2023, 5:19:04 PM): Ok let me check a efw things
APC Support (2/28/2023, 5:23:55 PM): Thank you.
IESSysAdmin (2/28/2023, 5:24:25 PM): I need to see how to make CA make a 256 RSA then I guess thatis the issue
IESSysAdmin (2/28/2023, 5:25:32 PM): ok so our entire domain uses a 512RSA
IESSysAdmin (2/28/2023, 5:25:40 PM): I would have to downgrade to support this device
IESSysAdmin (2/28/2023, 5:25:49 PM): do teh NMC3 support 512RSA?
APC Support (2/28/2023, 5:27:12 PM): For now it only support 256 RSA
IESSysAdmin (2/28/2023, 5:27:27 PM): Jeez ok. that is a problem
IESSysAdmin (2/28/2023, 5:27:36 PM): Most new Windows CAs support 512 or highter
IESSysAdmin (2/28/2023, 5:27:52 PM): Ok that is the problem i thikn
APC Support (2/28/2023, 5:31:37 PM): I see, you have to check with your CA provider if they can generate sha256RSA.
IESSysAdmin (2/28/2023, 5:33:22 PM): Yeah. Ok Thanks for the help. Answered a lot of questions.

As per resolving the issue, we can't resolve it as it is not supported by the hardware. It will need new hardware for a FIPS compliance Device and a firmware upgrade. I haven't yet looked into Different Hardware/Vendor but looking at some we have like EATON they aren't much different.