SSL intermediate certificates on NMC

Anonymous user · ‎2021-06-30

I posted about this in the "Can't import SSL Cert to Management Card" thread, but thought I should start a new thread rather than hijacking someone else's.

I'm trying to setup secure HTTPS access to my Network Management Card (NMC). My goal is to be able to connect to the NMC securely from any mainstream web browser (IE, Firefox, Opera, Safari), on any machine, including machines upon which I don't have administrative access (e.g. Internet cafes) so cannot install browser certificates. I want to be able to trust that I am really connecting to my own NMC, so that noone is intercepting the password etc.

This means that I need to install a real SSL certificate, issued by a CA (certificate authority) recognised by mainstream browsers, rather than a self-signed certificate or one signed by an in-house CA.

I have got as far as using the APC Network Security Wizard 1.02 to generate the CSR (certificate signing request), sending it to my CA, receiving the signed .crt file back, and importing that into Network Security Wizard. I can then upload the resultant .p15 file to the NMC.

The problem is that I also need to install so-called 'intermediate' or 'chaining' certificates onto the web server, in this case, the NMC built-in web server. This is, as far as I understand, a very common issue with certificates issued by most CAs these days. The intermediate certificates on the web server make sure that the certificate presented to the browser has the correct chain of trust. If the intermediate certificates are not installed on the web server, many web browsers will complain that it cannot trust the certificate presented to it.

Both Firefox and Opera require the intermediate certificates to be installed on the server. Strangely IE and Safari do not, but I believe this is a lack of security in IE and Safari rather than a bug in Firefox and Opera. The correct thing for a web server to do is to present the complete chain of trust.

The following link http://www.digicert.com/ssl-certificate-installation.htm is from a different CA than the one I'm trying to use but explains the problem quite well. You'll notice that it gives instructions on how to install the intermediate certificates on several different web servers, not including the NMC web server.

So my question is, is there a way to install intermediate certificates onto the NMC web server?

Note that I cannot simply install the intermediate certificates into the browser, as I'll be using lots of different browsers on lots of different machines, some of which might have a tied-down configuration. The whole point of installing a 'real' certificate was to try and stop any popup warnings on web browsers and give a secure connection. Anything other than having the web server present the intermediate certificates as it should is a kludge.

Anonymous user · ‎2021-06-30

I haven't seen any questions arise related to this issue. I have generated my own certificate and had it signed by a CA authority and have been able to access using both IE and Firefox, but am not familiar with the intermediate certificate requirements. Who is the CA that is generating the certificate, Digicert? From browsing through some of the methods for these other applications on the link you provided, it appears as if the intermediate certs are appended to the single .crt file. Have you tried appending the intermediate certs to the main cert before using the APC security wizard Import Signed Certificate function?

See Answer In Context

BillP · ‎2021-06-30

John,

Currently APC NMC devices do not support SSL Certifcate Chaining. This may be considered for future revisions of the Card and/or Card firmware, however it is not planned for any revision in the near future.

See Answer In Context

Anonymous user · ‎2021-06-30

I haven't seen any questions arise related to this issue. I have generated my own certificate and had it signed by a CA authority and have been able to access using both IE and Firefox, but am not familiar with the intermediate certificate requirements. Who is the CA that is generating the certificate, Digicert? From browsing through some of the methods for these other applications on the link you provided, it appears as if the intermediate certs are appended to the single .crt file. Have you tried appending the intermediate certs to the main cert before using the APC security wizard Import Signed Certificate function?

Anonymous user · ‎2021-06-30

Thanks for the reply. The CA I'm using is GlobalSign, using their Cybertrust Educational subsidiary, although I don't think the actual CA is important. I couldn't find any helpful public pages on the GlobalSign site, so I gave the link to the help pages on the Digicert site instead, because they explained the problem better.

I have also been told by my CA to install the "GTE CyberTrust Global Root" certificate at http://secure.globalsign.net/cacert/ct_root.pem and the "Cybertrust Educational CA" certificate at http://secure.globalsign.net/cacert/sureserverEDU.pem onto the web server, in addition to the site certificate.

If you follow those links you'll see that the first one has some human-readable stuff following by the -----BEGIN CERTIFICATE-----/-----END CERTIFICATE----- section, while the second link just includes the -----BEGIN CERTIFICATE-----/-----END CERTIFICATE----- section. In all cases where I've tried to use ct_root.pem I've just used the -----BEGIN CERTIFICATE-----/-----END CERTIFICATE----- section, as I'm assuming the human-readable bit isn't supposed to be imported.

As you said, for some web servers the solution is to concatenate all the certificates into one text file before loading onto the web server. I have tried that with the APC Security Wizard with no luck so far.

I have tried putting the site-specific certificate first, followed by the ct_root.pem then sureserverEDU.pem, and I've also tried putting the site-specific certificate first, followed by the sureserverEDU.pem then ct_root.pem. In both of those cases it seems the Security Wizard just ignored the second two certificates as if they weren't there - in other words, the result was exactly the same as if I just had the site-specific certificate in the file.

If I put either sureserverEDU.pem or ct_root.pem first in the concatenated text file, the Security Wizard gives a message "Error Adding Key , code: -2".

My guess is that the Security Wizard expects to see the site-specific certificate first in the text file, and when it reaches the end of it, it ignores the rest of the text file. If it sees anything before the site-specific certificate it throws an error.

Surely I can't be the only one in this situation. The reason I'm using this particular CA is that we have a very cheap educational deal on certificates, so I don't want to try another CA. And anyway, as far as I know most CAs require these intermediary certificates to be installed on web servers these days.

BillP · ‎2021-06-30

John,

Currently APC NMC devices do not support SSL Certifcate Chaining. This may be considered for future revisions of the Card and/or Card firmware, however it is not planned for any revision in the near future.

Anonymous user · ‎2021-06-30

I posted about this in the "Can't import SSL Cert to Management Card" thread, but thought I should start a new thread rather than hijacking someone else's.

I'm trying to setup secure HTTPS access to my Network Management Card (NMC). My goal is to be able to connect to the NMC securely from any mainstream web browser (IE, Firefox, Opera, Safari), on any machine, including machines upon which I don't have administrative access (e.g. Internet cafes) so cannot install browser certificates. I want to be able to trust that I am really connecting to my own NMC, so that noone is intercepting the password etc.

This means that I need to install a real SSL certificate, issued by a CA (certificate authority) recognised by mainstream browsers, rather than a self-signed certificate or one signed by an in-house CA.

I have got as far as using the APC Network Security Wizard 1.02 to generate the CSR (certificate signing request), sending it to my CA, receiving the signed .crt file back, and importing that into Network Security Wizard. I can then upload the resultant .p15 file to the NMC.

The problem is that I also need to install so-called 'intermediate' or 'chaining' certificates onto the web server, in this case, the NMC built-in web server. This is, as far as I understand, a very common issue with certificates issued by most CAs these days. The intermediate certificates on the web server make sure that the certificate presented to the browser has the correct chain of trust. If the intermediate certificates are not installed on the web server, many web browsers will complain that it cannot trust the certificate presented to it.

Both Firefox and Opera require the intermediate certificates to be installed on the server. Strangely IE and Safari do not, but I believe this is a lack of security in IE and Safari rather than a bug in Firefox and Opera. The correct thing for a web server to do is to present the complete chain of trust.

The following link http://www.digicert.com/ssl-certificate-installation.htm is from a different CA than the one I'm trying to use but explains the problem quite well. You'll notice that it gives instructions on how to install the intermediate certificates on several different web servers, not including the NMC web server.

So my question is, is there a way to install intermediate certificates onto the NMC web server?

Note that I cannot simply install the intermediate certificates into the browser, as I'll be using lots of different browsers on lots of different machines, some of which might have a tied-down configuration. The whole point of installing a 'real' certificate was to try and stop any popup warnings on web browsers and give a secure connection. Anything other than having the web server present the intermediate certificates as it should is a kludge.

Anonymous user · ‎2021-06-30

Indeed a serious failing.

Ironic that the APC SW utilities like PCNS provide an "accept insecure certificate" option, but cannot actually create a secure configuration for such a large percentage of the major certificate authorities operating today. My understanding is that without an intermediate cert, the "master" CA certificate is at greater risk of compromise, which is why so many CA's don't do it that way any more today.

Looks like the cards are mostly going to have to be used either with the self-signed cert, or with an internal/organizational CA. (Which of course also requires installing the organizational CA's root cert on all browsers that need to manage the devices)

Terry_Kennedy_apc · ‎2021-06-30

I use an internal CA on all of my devices. The whole SSL thing on the APC devices needs a big overhaul - not only does nobody else accept their .p15 files, but you'll find (if you spend the time to track it down) that their .p15 files themselves are non-standard.

I assume this was to provide some sort of partially-digested pablum to the cards, since the cards don't have a lot of CPU power. However, it does break a large number of other things, including wildcard certificates (and any other certificate issued for the device where there was no corresponding request via the Security Wizard). Using standard PEM format almost always allows the user to concatenate the intermediate certificate and feed it to the device which is then happy.

Anonymous user · ‎2021-06-30

With all the recent revelations about various SSL/TLS vulns, I'm a little afraid to even check into which ciphers, hashes and key lengths the new cards support. The older cards only support RC4 and DES/3DES ciphers, insecure hashes like MD5 and SHA1, and 768-bit key length.

Not something you'd want to put on the internet without at least a firewall in front of it with access control. (Which still won't help if you don't want people capturing your sessions and credentials.)

Terry_Kennedy_apc · ‎2021-06-30

The newer cards (at least with the latest 6.2.1 firmware) support TLS 1.1 (which isn't ideal as TLS 1.2 would be better). Both the old and new cards support 1024 bit (although at least the older ones generate 768 when they self-sign). I'm almost positive the newer cards support 2048.

Per this thread, updated SSL support for some of the older NMC2-based devices is being actively worked on. Unfortunately, the various browsers have morphed from "how secure can we be and remain compatible?" to "is there an award for breaking the most stuff?" which makes this SSL stuff very much a moving target.

This is all hard to tell from the Security Wizard, since it is the same old one from 2010 still. And the older cards (not sure about the newer ones) don't give any indication that a certificate you uploaded via the wizard is defective - the card either retains the old certificate with no warning, or deletes the old certificate and doesn't install the new one, depending on some mysterious conditions.

Anonymous user · ‎2021-06-30

So after 12years, still unable to get a key and csr from the UPS web interface in order to use our ADCS PKI infrastructure...

Tried using the APC Security Wizard 1.04 by creating a csr, signing it with ADCS and back into the wizard...

but still does not work ! Anyone found a way to set these web interface in https using your interface ADCS CA's & sub ca's ?

Thx

Anonymous user · ‎2021-06-30

Hey all,
Because installing private SSL's on NMC is a reoccurring theme, I decided to create a discussion after some progress was made during a support chat.

https://forums.apc.com/spaces/7/ups-management-devices-powerchute-software/forums/general/95305/uplo...