Problem creating certificate for UPS NMC

Anonymous user · ‎2021-07-01

We've recently upgraded to IE 10 and have run up against this certificate length security change: Microsoft Security Advisory: Update for minimum certificate key length

I've found this guide on APC's website to create and upload anew certificate into the NMC using the APC Security Wizard: http://www.apcmedia.com/salestools/ASTE-6Z5QF2/ASTE-6Z5QF2_R2_EN.pdf

I have generated the CSR and private key, used our Microsoft AD Certificate Server to generate a new cert based on that CSR, and then downloaded the resulting cert in both DER and Base64 format (the guide doesn't specify which the Wizard wants).

However, when I use the wizard to import the new cert (either the DER or Base64) with the private key, I get "Error importing cert, code: -32" (see attachment).

I haven't been able to find anything to tell me what this error means. Can anyone help?

BillP · ‎2021-07-01

Yes, I agree. The errors are not descriptive at all

28 characters might be a little long but I am not sure what I had an issue with previously..it might have been in the 40's.

Let me know if I can help further or answer any other questions.

See Answer In Context

BillP · ‎2021-07-01

Yep, the blog talks about using the "Web Server" template. That is what I was mainly asking about and just hoping that is the template you were using.

At the bottom, there is a note:

That’s it, you’re now setup with a certificate issued by your Microsoft PKI!  I ran into some strange issues when duplicating the “Web Server” template on my CA and attempting to sign certificates with it.  The CA would sign them successfully but the APC Security Wizard would error out during the import process with an error -32 . I spent a few hours playing with this but was unable to find a solution other then just using the Web Server template.

So, you are using that template? Can I ask - so I know all our options - what Network Management Card(s) model(s) and version(s) you are using? Do you require your on SSL Cert on the card or are you basically trying to do whatever possibly to do a 1024 or higher cert? If that's the case, I am thinking you have some older devices that generate a 768 bit and you have to do it this way where as the newer stuff generates 2048.

Anonymous user · ‎2021-07-01

Ah, that bit. The certificate templates are managed by the certificate administrator; in my case, we've got a "(SUB) Web Server SO (1024)" template that I'm using. We don't have one just called "Web Server", and I don't know what settings that blogger had in his "Web Server" template, so I can't check them against our template.

I had kind of assumed that there must be something our cert server is doing to the generated certificate that the Import Wizard doesn't like, but without knowing what error -32 means, I don't know what needs to change.

And yeah, I'm using an older AP9617 NMC on firmware 3.0.2, so I am limited to 1024. However, I'm already using 1024, not 2048, so that's not the problem.

I'd prefer to use our internal cert server if possible so that we don't get "warned" about invalid certs on HTTPS connection. However, if I can't make that work, I'll end up generating a cert directly from the wizard, and make do with having to click "Continue (not recommended)" each time. We've got something like 20 or 30 UPS's around Australia, so if I'm going to do it, I'd rather it was done "correctly" in the first place, rather than having to do this twice. 🙂

BillP · ‎2021-07-01

I understand better now. Bad/unrecognized data format is what -32 means.

What version of the security wizard are you trying? Just want to make sure its 1.04 which is what is on our website today.

This is a tough one because we can't really tell what it consider's "bad" but it is usually with the template or something like that. I've also seen a really long common name cause problems.

Anonymous user · ‎2021-07-01

"Bad/unrecognized data format"? That's... descriptive. 😛

I downloaded the latest version (1.04) off APC's website the other day when I started this process.

The DNS name is only 28 characters long; I assume that's not "really long"?

And yeah, I'd be pretty sure that the problem is with the template, but without knowing what settings it's expecting, I don't know what to change?

I've generated a certificate using the wizard and uploaded it to the UPS, then connected via web browser and downloaded the certificate in .cer format. I can now compare that certificate with the certificate that gets generated by the certificate server, and have found a few key differences. I've forwarded them both off to our security team to see if they can create me a new template with only the fields that the security wizard put in. Hopefully they can shed some light on this. If I find any more info, I'll let you know.

BillP · ‎2021-07-01