Problem creating certificate for UPS NMC

This was originally posted on APC forums on 11/6/2013

Ah, that bit.  The certificate templates are managed by the certificate administrator; in my case, we've got a "(SUB) Web Server SO (1024)" template that I'm using.  We don't have one just called "Web Server", and I don't know what settings that blogger had in his "Web Server" template, so I can't check them against our template.

I had kind of assumed that there must be something our cert server is doing to the generated certificate that the Import Wizard doesn't like, but without knowing what error -32 means, I don't know what needs to change.

And yeah, I'm using an older AP9617 NMC on firmware 3.0.2, so I am limited to 1024.  However, I'm already using 1024, not 2048, so that's not the problem.

I'd prefer to use our internal cert server if possible so that we don't get "warned" about invalid certs on HTTPS connection.  However, if I can't make that work, I'll end up generating a cert directly from the wizard, and make do with having to click "Continue (not recommended)" each time.  We've got something like 20 or 30 UPS's around Australia, so if I'm going to do it, I'd rather it was done "correctly" in the first place, rather than having to do this twice.  🙂

This reply was originally posted by Angela on APC forums on 11/7/2013

I understand better now. Bad/unrecognized data format is what -32 means.

What version of the security wizard are you trying? Just want to make sure its 1.04 which is what is on our website today.

This is a tough one because we can't really tell what it consider's "bad" but it is usually with the template or something like that. I've also seen a really long common name cause problems.

This was originally posted on APC forums on 11/7/2013

"Bad/unrecognized data format"?  That's... descriptive.  😛

I downloaded the latest version (1.04) off APC's website the other day when I started this process.

The DNS name is only 28 characters long; I assume that's not "really long"?

And yeah, I'd be pretty sure that the problem is with the template, but without knowing what settings it's expecting, I don't know what to change?

I've generated a certificate using the wizard and uploaded it to the UPS, then connected via web browser and downloaded the certificate in .cer format.  I can now compare that certificate with the certificate that gets generated by the certificate server, and have found a few key differences.  I've forwarded them both off to our security team to see if they can create me a new template with only the fields that the security wizard put in.  Hopefully they can shed some light on this.  If I find any more info, I'll let you know.

This was originally posted on APC forums on 11/5/2013

We've recently upgraded to IE 10 and have run up against this certificate length security change: Microsoft Security Advisory: Update for minimum certificate key length

I've found this guide on APC's website to create and upload anew certificate into the NMC using the APC Security Wizard: http://www.apcmedia.com/salestools/ASTE-6Z5QF2/ASTE-6Z5QF2_R2_EN.pdf

I have generated the CSR and private key, used our Microsoft AD Certificate Server to generate a new cert based on that CSR, and then downloaded the resulting cert in both DER and Base64 format (the guide doesn't specify which the Wizard wants).

However, when I use the wizard to import the new cert (either the DER or Base64) with the private key, I get "Error importing cert, code: -32" (see attachment).

I haven't been able to find anything to tell me what this error means.  Can anyone help?

This reply was originally posted by Angela on APC forums on 11/6/2013

Can you check this link out and see if it applies? -> Issuing SSL Certificates to APC Devices from Microsoft PKI | Mike Shellenberger's Blog