Help
  • Explore Community
  • Get Started
  • Ask the Community
  • How-To & Best Practices
  • Contact Support
Notifications
Login / Register
Community
Community
Notifications
close
  • Forums
  • Knowledge Center
  • Events & Webinars
  • Ideas
  • Blogs
Help
Help
  • Explore Community
  • Get Started
  • Ask the Community
  • How-To & Best Practices
  • Contact Support
Login / Register
Sustainability
Sustainability

We Value Your Feedback!
Could you please spare a few minutes to share your thoughts on Cloud Connected vs On-Premise Services. Your feedback can help us shape the future of services.
Learn more about the survey or Click here to Launch the survey
Schneider Electric Services Innovation Team!

SSL Cert for NMC3 Web Interface

APC UPS Data Center & Enterprise Solutions Forum

Schneider, APC support forum to share knowledge about installation and configuration for Data Center and Business Power UPSs, Accessories, Software, Services.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
  • Home
  • Schneider Electric Community
  • APC UPS, Critical Power, Cooling and Racks
  • APC UPS Data Center & Enterprise Solutions Forum
  • SSL Cert for NMC3 Web Interface
Options
  • Subscribe to RSS Feed
  • Mark Topic as New
  • Mark Topic as Read
  • Float this Topic for Current User
  • Bookmark
  • Subscribe
  • Mute
  • Printer Friendly Page
Invite a Co-worker
Send a co-worker an invite to the portal.Just enter their email address and we'll connect them to register. After joining, they will belong to the same company.
You have entered an invalid email address. Please re-enter the email address.
This co-worker has already been invited to the Exchange portal. Please invite another co-worker.
Please enter email address
Send Invite Cancel
Invitation Sent
Your invitation was sent.Thanks for sharing Exchange with your co-worker.
Send New Invite Close
Top Experts
User Count
BillP
Administrator BillP Administrator
5060
voidstar_apc
Janeway voidstar_apc
196
Erasmus_apc
Sisko Erasmus_apc
112
Teken
Spock Teken
110
View All

Invite a Colleague

Found this content useful? Share it with a Colleague!

Invite a Colleague Invite
Solved Go to Solution
Back to APC UPS Data Center & Enterprise Solutions Forum
Solved
wallacebrf
Crewman wallacebrf
Crewman

Posted: ‎2024-01-17 07:49 AM

1 Like
8
3698
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2024-01-17 07:49 AM

SSL Cert for NMC3 Web Interface

i know there are MANY discussions on uploading SSL certs to these cards, but i wanted to discuss something that seems confusing. 

 

everything online indicates that we need to use the network security wizard to create the specific .p15 files needed to get SSL working on the web interface and that we cannot just upload our own signed certs on their own. 

 

however on my network management cards, under Config --> Security --> SSL Certificates i can upload my certs no problem. (using the latest 3.0.0.12 firmware)

 

I can even easily use the cert when configuring syslog servers from a very simple and handy drop down menu.... BUT when i try to go to the configuration for the web-interface i CANNOT use this cert, i have to follow the instructions required when using the security wizard.

 

why is the firmware unable to use the cert uploaded under the Config --> Security --> SSL Certificates for the web interface? this would make EVERYONE's lives easier as the process to upload the cert on the Config --> Security --> SSL Certificates page was SUPER easy. 

 

 

2.png1.png3.png

  • Tags:
  • english
Reply

Link copied. Please paste this link to share this article on your social media post.

  • All forum topics
  • Previous Topic
  • Next Topic

Accepted Solutions
gtwallace
Ensign gtwallace
Ensign

Posted: ‎2024-06-21 02:10 PM

1 Like
1
3222
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2024-06-21 02:10 PM

I made an open source tool to replace the SecurityWizard headaches. NMC3 compatibility should be fully functional now: https://github.com/gregtwallace/apc-p15-tool

See Answer In Context

Reply

Link copied. Please paste this link to share this article on your social media post.

Replies 8
dpierce4776
Lieutenant dpierce4776
Lieutenant

Posted: ‎2024-01-19 06:24 AM

0 Likes
3
3680
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2024-01-19 06:24 AM

Many people have argued and discussed this. In the end the reality is that the .p15 (PKCS 15) format is very secure and even most newer certificate algorithms can match its security. if Memory serves PKCS uses two set keys based off of the hash value of the certificate, to create the certificate and encrypt it. This makes it very hard to attack and/or have a MITM issue.

 

But I also understand that this also can make things difficult for end users as my company has many APC devices and we must create new certs yearly.

Trust me I get it I would love to use my local CA and scripts to create and upload certificates but APC is not going to budge on this due to security issues and concerns.     

Reply

Link copied. Please paste this link to share this article on your social media post.

gtwallace
Ensign gtwallace
Ensign

Posted: ‎2024-04-24 09:22 PM

In response to dpierce4776
0 Likes
0
3508
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2024-04-24 09:22 PM

Except the p15 is secured with a static password (“user”) so decrypting the file is trivial.

Reply

Link copied. Please paste this link to share this article on your social media post.

BillP
Administrator BillP Administrator
Administrator

Posted: ‎2024-04-26 01:16 PM

0 Likes
1
3480
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2024-04-26 01:16 PM

Hi,

 

You can use the command-line interface to use a .crt file with the NMC3. See the CLI guide for instructions. 

I have attached a copy. See page 34.

 

Using a SSH tool such as PuTTY log into the NMC

 

Enter the command

ssl csr -CN <NMC host name or IP> -C <county e.g. US> -san <The Common Name> -san <The IP address of the NMC>  OutfileName.csr

 

Copy the file off and sign it. The signed copy can be a .crt

 

Copy the signed.crt to the NMC and then run the command

ssl cert -i InfileName.crt

 

I recommend rebooting the NMC after uploading the new cert. 

 

Attachments
Reply

Link copied. Please paste this link to share this article on your social media post.

gtwallace
Ensign gtwallace
Ensign

Posted: ‎2024-06-21 02:10 PM

1 Like
1
3223
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2024-06-21 02:10 PM

I made an open source tool to replace the SecurityWizard headaches. NMC3 compatibility should be fully functional now: https://github.com/gregtwallace/apc-p15-tool

Reply

Link copied. Please paste this link to share this article on your social media post.

kumba93
kumba93
Cadet

Posted: ‎2024-07-03 09:59 AM

In response to dpierce4776
0 Likes
1
3139
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2024-07-03 09:59 AM

PKCS#15 isn't itself an encryption standard.  It's just a container format, specifically "Cryptographic Token Information Format Standard", and also known as ISO/IEC 7816-15:

https://en.wikipedia.org/wiki/PKCS

 

I know from past digging around, under the hood, NMC2 and NMC3 cards are using a somewhat obscure encryption library called "cryptlib", developed by Peter Gutmann:

https://en.wikipedia.org/wiki/Cryptlib

https://www.cs.auckland.ac.nz/~pgut001/cryptlib/

 

It's the use of cryptlib that dictates why certificates for the embedded Treck HTTP server have to use the PKCS#15 format.  But to make matters worse, APC doesn't use a standard PKCS#15 format.  There's a custom binary header that's tacked on top of these files that has to be dealt with.  There have been past efforts to modify an old, but existing, tool called "pemtrans", which converts the PKCS#15 certificate format files (*.p15) to/from standard X.509 format:

https://github.com/amenonsen/pemtrans

https://github.com/freddy36/apc_tools

 

Luckily, since I last dug into this particular problem, it FINALLY looks like someone's put together a tool to deal with this custom p15 file format that APC has stubbornly stuck with, however, this tool is only known to generate RSA keys up to 3072 bits and has only been tested on an NMC2 card:

https://github.com/gregtwallace/apc-p15-tool

 

I will have to look into this tool further to see if it can be expanded to handle ECDSA or not.  Since the only thing that's really being done here is converting between data formats, it's not an insurmountable challenge.  I know from looking into the cryptlib docs in the past, that there are conversion routines that you can call if you write a program around cryptlib to ingest a standard X.509 certificate and write back out a p15 format.  I think what stopped a lot of people was that custom binary header that APC tacked onto the p15 files.

 

In any event, APC/SE needs to give up on this p15 format and just use standard certificate formats like everyone else.  I know that APC/SE's internal developers could do this very easily if actually tasked by their management, because cryptlib fully supports all the well-known certificate standards, so it's really just a matter of adding support for those and beginning a deprecation process for the p15 cert format, especially NOW that they've added a central certificate store capability to the more recent firmware releases.

Reply

Link copied. Please paste this link to share this article on your social media post.

wallacebrf
Crewman wallacebrf
Crewman

Posted: ‎2024-07-06 03:54 PM

In response to gtwallace
0 Likes
0
3049
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2024-07-06 03:54 PM

@kumba93  posted a link to your github page. i plan on using it on my NMC3 units. i will let you know if i have any issues

Reply

Link copied. Please paste this link to share this article on your social media post.

wallacebrf
Crewman wallacebrf
Crewman

Posted: ‎2024-07-06 04:23 PM

In response to kumba93
0 Likes
0
3049
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2024-07-06 04:23 PM

i can confirm that

https://github.com/gregtwallace/apc-p15-tool

worked perfectly for my 2048-bit wildcard certificate on my 4x APC network management card 3 model AP9641. very quick and easy to use.

appreciate the tool! this is so much better than what APC offers.

Reply

Link copied. Please paste this link to share this article on your social media post.

wallacebrf
Crewman wallacebrf
Crewman

Posted: ‎2024-07-06 07:50 PM

In response to BillP
0 Likes
0
3049
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2024-07-06 07:50 PM

The new tool posted here works great and does everything I needed to load an already signed 2048 bit wild card certificate to multiple NMCv3 cards without issue. 

 

Please update your previous "master" posts where you aggregated all of the multiple questions pertaining to loading these certs. 

 

Tool that works

https://github.com/gregtwallace/apc-p15-tool

Reply

Link copied. Please paste this link to share this article on your social media post.

Preview Exit Preview

never-displayed

You must be signed in to add attachments

never-displayed

 
To The Top!

Forums

  • APC UPS Data Center Backup Solutions
  • EcoStruxure IT
  • EcoStruxure Geo SCADA Expert
  • Metering & Power Quality
  • Schneider Electric Wiser

Knowledge Center

Events & webinars

Ideas

Blogs

Get Started

  • Ask the Community
  • Community Guidelines
  • Community User Guide
  • How-To & Best Practice
  • Experts Leaderboard
  • Contact Support
Brand-Logo
Subscribing is a smart move!
You can subscribe to this board after you log in or create your free account.
Forum-Icon

Create your free account or log in to subscribe to the board - and gain access to more than 10,000+ support articles along with insights from experts and peers.

Register today for FREE

Register Now

Already have an account? Login

Terms & Conditions Privacy Notice Change your Cookie Settings © 2025 Schneider Electric

This is a heading

With achievable small steps, users progress and continually feel satisfaction in task accomplishment.

Usetiful Onboarding Checklist remembers the progress of every user, allowing them to take bite-sized journeys and continue where they left.

of