Private Key import in EAPOL configuration wizard throws "Bad key / Certificate" error (NMC2 and 3)

radiognomebbq · ‎2024-09-16

Hello,

I am configuring 802.1X / EAP-TLS in our network, and both NMC2 and 3 cards refuse to cooperate. Every time i try to import a Private Key in EAPOL configuration wizard, i get "Bad key / Certificate" error. Tried different formats, names, everything i could think of with the same result.

Cards i've tried to configure: AP9631 (v7.1.2) and AP9641 (v2.5.0.6 / 2.5.0.8)

I've configured a number of different devices before, from printers to nvr and ipcams, and i never had a problem like this.

I've seen a topic here about the same problem marked "Solved", but there was no working solution in it. Or, perhaps, i failed to see it.

Is there any known solution to this? Thank you.

KarimEissa · ‎2025-02-11

Hello,

I have not tried this myself due to the available resources that we have. However, we have shared the document attached to end-users/customers to configure this and they were able to successfully configure EAPoL/802.1x.

One difference I noticed from these instructions from what the customer has done is how the certificates are loaded to the NMC (web vs FTP), as well as enabling it via CLI.

ensure updating NMC firmware as per the below :

The firmware of your card is outdated, and the latest version available in our website
Visit our website and download the firmware specific to your UPS model/family.
Use the image provided on the website to ensure you download the correct firmware.

Removing bag attributes from the public certificate:

The public certificate generated contains 'bag attributes' (anything above -----BEGIN CERTIFICATE-----).
Manually edit the certificate using a text editor and remove these attributes before uploading it to the NMC3, as it doesn't accept them.

If you are using NMC Security Wizard CLI to generate certificate , ensure to download the latest version from our website ,you can try to use version 1.0.0 and see if the issue the same

you can always contact your local CCC team and register case for more investigation if the issue still persists

Regards,

Karim

See Answer In Context

fiwi221 · ‎2025-02-10

Did you ever find a solution here? I had a go at it last year but couldn't get it to take the client cert and key regardless of formats for the certs. I was seeing the same errors as you also running v2.5.0.6 for NMC3's

KarimEissa · ‎2025-02-11

Hello,

I have not tried this myself due to the available resources that we have. However, we have shared the document attached to end-users/customers to configure this and they were able to successfully configure EAPoL/802.1x.

One difference I noticed from these instructions from what the customer has done is how the certificates are loaded to the NMC (web vs FTP), as well as enabling it via CLI.

ensure updating NMC firmware as per the below :

The firmware of your card is outdated, and the latest version available in our website
Visit our website and download the firmware specific to your UPS model/family.
Use the image provided on the website to ensure you download the correct firmware.

Removing bag attributes from the public certificate:

The public certificate generated contains 'bag attributes' (anything above -----BEGIN CERTIFICATE-----).
Manually edit the certificate using a text editor and remove these attributes before uploading it to the NMC3, as it doesn't accept them.

If you are using NMC Security Wizard CLI to generate certificate , ensure to download the latest version from our website ,you can try to use version 1.0.0 and see if the issue the same

you can always contact your local CCC team and register case for more investigation if the issue still persists

Regards,

Karim

fiwi221 · ‎2025-02-13

I tried the steps from the document but still face issues with the certs. NMC3 is up to date v2.5.3.2

I can upload certs and key over FTP or SCP and seems the CA cert is OK (Says its OK in web gui and CLI) but it will just not accept private key and client cert. Normally the private key will stay in the directory but client cert immediately disappears after copying, then I reboot the NMC the private key file is gone too.

Is there any more info you have around how the private keys are generated? I'm using openssl OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

Or do you have any more information on how the clients that have this working generated the private key and certs?

I don't think the NMC Security Wizard CLI can be used here as the private keys it generates are .p15 format

Here is what I use to create private key and csr

openssl req -new -nodes -newkey rsa:4096 -keyout privatekey.key -out cert-csr.csr

It's then signed by windows CA.

I've tried converting said private key to both der and pem format with .key extension. Also when adding the key via web i get different errors depending on if its PEM or DER formatted key. Both are rsa and not encrypted.

PEM private key error in web

Please complete or correct the fields highlighted in bold red below

Invalid/No Certificate.

Certificate Format Error (file name: key-rsa-format2.key)

DER private key error in web

Bad Key/Certificate (file name: PrivateKey.key)

and in CLI all I ever see is

Active EAPoL Settings
--------------------

Status: disabled
Supplicant Name: EU-NLDOE-IDF3-UPS01
Passphrase: <not set>
CA file Status: Valid Certificate
Private Key Status: File not found
Public Key Status: File not found
Result: Failed

apc>eapol -S enable
E108: EAPoL disabled due to invalid/encrypted certificate

I have also reached out to local support to get a case going about this.

Shaun · ‎2025-02-17

Hi @fiwi221,

I haven't worked with this for some years, but I did keep some notes from testing this with openssl & freeradius:

# Create a private key
# Doing this separately from REQ so we can specify the pkcs format

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -des3 -out testcard.key -pass pass:supersecretpassword

# Create a signing request
openssl req -new -out testcard.csr -key testcard.key -config conf/eap-client.cnf

My memory is hazy on exactly why this was done in two steps instead of using `--keyout` during `req` - but I am lazy enough that I'm positive it wasn't for fun.

my eap-client.conf has:

[ req ]
prompt = no
distinguished_name = client
default_bits = 2048
input_password = supersecretpassword
output_password = supersecretpassword
req_extensions = v3_req

[ v3_req ]
extendedKeyUsage = clientAuth
crlDistributionPoints = URI:http://example.com/crl.pem

[client]
countryName = IE
stateOrProvinceName = Galway
localityName = Galway
organizationName = Lab
emailAddress = user@example.org
commonName = "Test Supplicant"

I don't recall how much of this was so I could automate CSRs without input, and how much was actually necessary - but I suspect `clientAuth` is there for a good reason because my CA scripts go to some effort to propagate v3_req into the signing, which again isn't something I'd do for fun.

I also believe I had problems with 4096-bit client certs (not CA certs) and was using 2048 for a reason. This was approx. 5 years ago, so I don't know if that's changed.

Hopefully these notes are of some use.

fiwi221 · ‎2025-02-24

@Shaun

Thanks, your example of how to create the key has helped progress. When following your example with generating the key separately and using the "v3_req" in the config file I can now load the certs in via the web interface and they are all accepted! I also tried with 4096-bit certs too and that seems to work and the certs upload and show accepted.

I'm still facing issues with the NAC giving some ssl/handshake errors but I think that's more something on the NAC configuration side that I am working through now.

Private Key import in EAPOL configuration wizard throws &quot;Bad key / Certificate&quot; error (NMC2 and 3)

Private Key import in EAPOL configuration wizard throws "Bad key / Certificate" error (NMC2 and 3)

This is a heading

Private Key import in EAPOL configuration wizard throws "Bad key / Certificate" error (NMC2 and 3)