SSL Cert for NMC3 Web Interface

wallacebrf · ‎2024-01-17

i know there are MANY discussions on uploading SSL certs to these cards, but i wanted to discuss something that seems confusing.

everything online indicates that we need to use the network security wizard to create the specific .p15 files needed to get SSL working on the web interface and that we cannot just upload our own signed certs on their own.

however on my network management cards, under Config --> Security --> SSL Certificates i can upload my certs no problem. (using the latest 3.0.0.12 firmware)

I can even easily use the cert when configuring syslog servers from a very simple and handy drop down menu.... BUT when i try to go to the configuration for the web-interface i CANNOT use this cert, i have to follow the instructions required when using the security wizard.

why is the firmware unable to use the cert uploaded under the Config --> Security --> SSL Certificates for the web interface? this would make EVERYONE's lives easier as the process to upload the cert on the Config --> Security --> SSL Certificates page was SUPER easy.

gtwallace · ‎2024-06-21

I made an open source tool to replace the SecurityWizard headaches. NMC3 compatibility should be fully functional now: https://github.com/gregtwallace/apc-p15-tool

See Answer In Context

dpierce4776 · ‎2024-01-19

Many people have argued and discussed this. In the end the reality is that the .p15 (PKCS 15) format is very secure and even most newer certificate algorithms can match its security. if Memory serves PKCS uses two set keys based off of the hash value of the certificate, to create the certificate and encrypt it. This makes it very hard to attack and/or have a MITM issue.

But I also understand that this also can make things difficult for end users as my company has many APC devices and we must create new certs yearly.

Trust me I get it I would love to use my local CA and scripts to create and upload certificates but APC is not going to budge on this due to security issues and concerns.

gtwallace · ‎2024-04-24

Except the p15 is secured with a static password (“user”) so decrypting the file is trivial.

BillP · ‎2024-04-26

Hi,

You can use the command-line interface to use a .crt file with the NMC3. See the CLI guide for instructions.

I have attached a copy. See page 34.

Using a SSH tool such as PuTTY log into the NMC

Enter the command

ssl csr -CN <NMC host name or IP> -C <county e.g. US> -san <The Common Name> -san <The IP address of the NMC> OutfileName.csr

Copy the file off and sign it. The signed copy can be a .crt

Copy the signed.crt to the NMC and then run the command

ssl cert -i InfileName.crt

I recommend rebooting the NMC after uploading the new cert.

gtwallace · ‎2024-06-21

I made an open source tool to replace the SecurityWizard headaches. NMC3 compatibility should be fully functional now: https://github.com/gregtwallace/apc-p15-tool

kumba93 · ‎2024-07-03

PKCS#15 isn't itself an encryption standard. It's just a container format, specifically "Cryptographic Token Information Format Standard", and also known as ISO/IEC 7816-15:

https://en.wikipedia.org/wiki/PKCS

I know from past digging around, under the hood, NMC2 and NMC3 cards are using a somewhat obscure encryption library called "cryptlib", developed by Peter Gutmann:

https://en.wikipedia.org/wiki/Cryptlib

https://www.cs.auckland.ac.nz/~pgut001/cryptlib/

It's the use of cryptlib that dictates why certificates for the embedded Treck HTTP server have to use the PKCS#15 format. But to make matters worse, APC doesn't use a standard PKCS#15 format. There's a custom binary header that's tacked on top of these files that has to be dealt with. There have been past efforts to modify an old, but existing, tool called "pemtrans", which converts the PKCS#15 certificate format files (*.p15) to/from standard X.509 format:

https://github.com/amenonsen/pemtrans

https://github.com/freddy36/apc_tools

Luckily, since I last dug into this particular problem, it FINALLY looks like someone's put together a tool to deal with this custom p15 file format that APC has stubbornly stuck with, however, this tool is only known to generate RSA keys up to 3072 bits and has only been tested on an NMC2 card:

https://github.com/gregtwallace/apc-p15-tool

I will have to look into this tool further to see if it can be expanded to handle ECDSA or not. Since the only thing that's really being done here is converting between data formats, it's not an insurmountable challenge. I know from looking into the cryptlib docs in the past, that there are conversion routines that you can call if you write a program around cryptlib to ingest a standard X.509 certificate and write back out a p15 format. I think what stopped a lot of people was that custom binary header that APC tacked onto the p15 files.

In any event, APC/SE needs to give up on this p15 format and just use standard certificate formats like everyone else. I know that APC/SE's internal developers could do this very easily if actually tasked by their management, because cryptlib fully supports all the well-known certificate standards, so it's really just a matter of adding support for those and beginning a deprecation process for the p15 cert format, especially NOW that they've added a central certificate store capability to the more recent firmware releases.

wallacebrf · ‎2024-07-06

@kumba93 posted a link to your github page. i plan on using it on my NMC3 units. i will let you know if i have any issues

wallacebrf · ‎2024-07-06

i can confirm that

https://github.com/gregtwallace/apc-p15-tool

worked perfectly for my 2048-bit wildcard certificate on my 4x APC network management card 3 model AP9641. very quick and easy to use.

appreciate the tool! this is so much better than what APC offers.

wallacebrf · ‎2024-07-06

The new tool posted here works great and does everything I needed to load an already signed 2048 bit wild card certificate to multiple NMCv3 cards without issue.

Please update your previous "master" posts where you aggregated all of the multiple questions pertaining to loading these certs.

Tool that works

https://github.com/gregtwallace/apc-p15-tool