Uploading Private SSL Certificates

Hi Cody,

Sorry at present this is not possible, neither pre-signed certificates nor wildcard certificates are supported, you can only use certs that have been created by the security wizard.

The process is you create a CSR and private key with the security wizard, sign the CSR with your internal or corporate CA and finally combine the signed request with the private key using the security wizard.

If you require any help with this process, please let me know.

-Gavan 

Unfortunately not, even with the request submitted there is no guarantee that it will be accepted and no time-frames are provided. Also this would not be a very high priority request that would require a huge rework in the SSL system. 

Hi Cody,

There is no SLA, this is an enchantment request not a support request and not a high priority one as there is currently a way to add certificates to an NMC2.

As I've said previously if you'd like to learn how to use our current tools I'd be happy to help.

-Gavan 

The NMC3 uses the same process as the NMC1 and NMC2.

Have you considered deploying an internal CA, here's a great guide on how to do it with Windows Server: https://www.starwindsoftware.com/blog/using-the-microsoft-certificate-authority-to-get-rid-of-those-...

There is similar guides to do it with Linux and OpenSSL.

-Gavan

I'm also having a problem uploading SSL certificates to my Rack PDUs. It's an essential requirement for me; we aren't permitted to have self-signed certificates in our infrastructure. We also don't really want to use a wildcard certificate or public CA.

I've tried two different ways:

• Generate CSR using NMCSecurityWizardCLI.exe, sign using our internal OpenSSL CA and then reimport using NMCSecurityWizardCLI.exe. This gives me a bad argument error and fails.
• Generate CSR using Security Wizard v1.04, sign using our OpenSSL CA and then reimport using Security Wizard again. This gives me an error -32. I've seen mention of it when people have this when not using the Web Server template from Windows Certificate Services, but not with OpenSSL.

I haven't even managed to get to the point where I can upload the certificate to the PDU. I've got a case open with APC about NMCSecurityWizard, but there doesn't seem to be any way to check the progress.

Looking at how poorly certificates have been handled for a long time now and the lack of progress perhaps it may be worth considering another vendors solution instead.

Hi Scott, 

Can you tell me what your case number is and I can check its progress?

Can you also try using the following version of Security Wizard:

https://schneider-electric.box.com/s/ct021cml940zdj50al4zhocjyczf13v8

-Gavan

Hi Cody,

Please don't post unless your going to try and be helpful, Scott's issue is not the same as yours can can easily be resolved. 

-Gavan

I've spent days trying to figure out how to get an SSL certificate to load in our NMCs.  Scott's post above helped to put me on a path of enlightenment.

I used the NMC's self-signed certificate as a "MODEL" certificate of what it seemed to be accepting.  That's when I noticed the differences that I needed to correct.  Mainly the extended key usage definition, and the non-standard "critical" setting on the extended Key Usage and basicConstraints extensions.  But the biggest realization is that your CN and alt_names (SAN) has a huge impact on whether the certificate will be accepted or rejected.  I'd image this is what most people are having problems with. Since there is absolutely NO error feedback, it's virtually impossible to figure anything out without a LOT of trial and error.  Your programmers need to learn how to 1) provide an error message, 2) provide a useful error message when one is given.

I surely hope the information below will help others that are having NMC certificate problems.

Applies to:
0M-9631SY (AP9631): APC AOS v6.8.8
AP8959NA3: APC AOS v6.8.2

NMCSecurityWizardCLIUtility_v100.zip: 585,444 bytes
NMCSecurityWizardCLI.exe: 91,136 bytes
cl32.dll: 1,181,184 bytes

Example of a working Process:

0. Renamed NMCSecurityWizardCLI.exe to NMC.exe
1. Create CSR using NMC.exe:

C:\NMCcli>NMC --csr -o symmetra -n symmetra -c US -m Illinois -l Maywood -g "Company Name Inc" -u "Information Technology" -e it@companyname.com -a 192.168.10.2 -i http://www.companyname.com -d symmetra.companyname.com -k 1024

2. Renamed symmetra.p15 to symmetrak.p15
3. Transferred symmetra.csr to internal company CA host
4. We use openssl. Using the NMC's self-sign certificate as a "Model" 
   certificate for what the NMC seems to accept, we modified openssl.cnf 
   (in the "[ usr_cert ]" section) so that:

   a. All Netscape options/extensions were disabled
   b. ONLY X.509 extensions were allowed, in this exact order:

      1. Subject Key Identifier - Entry in openssl.cnf: subjectKeyIdentifier=hash
      2. Key Usage - Entry in openssl.cnf: keyUsage=critial,digitalSignature,keyEncipherment
      3. Basic Constraints - Entry in openssl.cnf: basicConstraints=critical,CA:FALSE
      4. Subject Alternative Name - Entry in openssl.cnf: subjectAltName=@alt_names

                                                          [ alt_names ]
                                                          DNS.1 = symmetra.companyname.com
                                                          DNS.2 = 192.168.10.2

5. Copy "symmetra.csr" to "/etc/pki/tls/misc/newreq.pem"
6. Signed the certificate request:

   [/etc/pki/tls/misc]# ./CA.pl -sign

7. openssl creates a signed certificate and puts it in newcert.pem
8. Copy newcert.pem to symmetra.crt
9. Copy newcert.pem to ssymmetra.crt (short symmetra.crt)
10. Edit ssymmetra.crt to REMOVE the human-readable certificate information 
    BEFORE the "-----BEGIN CERTIFICATE-----" line. The NMCSecurityWizardCLI.exe
    pukes when trying to create the .p15 file for upload and there is more 
    than just the base64 certificate information present in the certificate file.
11. Transfer ssymmetra.crt to Windows machine where NMC.exe exists, and the .p15
    private is located when the CSR was created.

12. Create the certificate file for upload to the NMC:

      C:\NMCcli>NMC --import -o symCERT -s ssymmetra.crt -p symmetrak

      If successful, you'll get something like:

      NMC Security Wizard Command Line Utility v1.0.0
      (c) Copyright 2018 Schneider Electric. All rights reserved.
      -----------------------------------------------------------------------------
      Certificate's Issuer Information:
        Common Name: Company Name Root CA
        Country: US
        State/Province: IL
        Locality: Maywood
        Organization: Company Name, Inc
        Organizational Unit: www.companyname.com

      Certificate's Subject Information:
        Common Name: symmetra
        Country: US
        State/Province: Illinois
        Locality: Maywood
        Organization: Company Name Inc
        Organizational Unit: Information Technology
        Valid From: 08/05/2020 (GMT)
        Valid To: 08/03/2030 (GMT)

      Certificate's General Information:
        Serial Number: 00:CB:45:34:3D:6E:DD:E8:F4
        SHA1 Thumbprint: 21:69:81:CE:BB:58:53:C3:A8:EE:1A:8F:14:25:BD:E0:24:A7:5A:93

      [*] Importing certificate 'symCERT' has successfully completed.      

   13. Connect to the NMC Web Interface, and login.  Navigate to:

       Configuration > Network > Web > SSL Certificate

       Click the "Choose File" button.  Navigate to the Windows 
       file where your "symCERT.p15" was created, and "Open" it.

   14. The filename will be displayed next to the "Choose File" button. 
       Click "Apply" to load certificate into the NMC.

   15. If all goes well, it will only take about 10 seconds for the
       certificate to load.  There is absolutely no good feed back in
       the browser as to what happens. From extensive testing, I
       found that 10 seconds usually meant it worked, and 60 seconds
       meant that it failed.

If successfull, the NMC will immediately start to use it. You should logout and then login to the NMC fully utilize the new certificate.

If unsuccessful, the NMC will take about 60 seconds to regenerate a brand new self-cert and install it, and give control back to the
user. You'll see this if you inspect the cerificate after trying to connect to the NMC after 60 seconds. The cert will only be 2-3 minutes
old.

If successful, these will work:
https://symmetra.companyname.com
or https://192.168.10.2/

This will not work, you get a browser security warning:
https://symmetra

Plus you cannot add "symmetra" to the alt_names to get it to work.

This table took quite some time create, but will help to explain what APC support hasn't been able to figure out. When I create certificates, I
like to be able to use something like:

https://pdu.companyname.com
or https://192.168.10.2
or https://pdu/

In order to do that, you specify all three as alt_names. But if you use "pdu" as one of the entries for an alt_name, that causes the NMC
to REJECT the SSL certificate for some unknown reason. 

The APC NMC will also almost always reject the SSL Certificate if you use a FQDN for the CN. There is only one exception to that, and then that is NOT to use ANY alt-names.

This table outlines what works, and more importantly what does NOT work.

Result  Test    CN           AltName[1]    AltName[2]    AltName[3]
=====================================================================================
fails   PDU1:   pdu          pdu.dom.com   pdu           bluepdu.dom.com (2 more)
fails   PDU2:   pdu          pdu.dom.com   pdu           bluepdu.dom.com (2 more)
fails   PDU3:   pdu          pdu.dom.com   pdu           192.168.10.3
loads   PDU4:   pdu          
loads   PDU5:   pdu.dom.com  
loads   PDU6:   pdu          pdu.dom.com 
loads   PDU6b:  pdu          pdu.dom.com   192.168.10.3
fails   PDU6c:  pdu          pdu.dom.com   192.168.10.3  pdu
fails   PDU7:   pdu.dom.com  pdu.dom.com   pdu           192.168.10.3
fails   PDU7b:  pdu.dom.com  pdu.dom.com   pdu
FAILS   PDU7c:  pdu.dom.com  pdu 
fails   PDU8:   5A1833E07049 pdu.dom.com   pdu

fails: NMC card fails to load certificate, and generates a new self-signed cert.
loads: NMC card loads certificate, and immediately starts to use it in
about 10-15 seconds

Hopefully, APC will make this a less painful process. I wonder how many man-hours have been wasted trying to get a working certificate on a APC device.  

Interesting; I was able to get my NMC to accept a certificate that had the non-FQDN name as a SAN.

I created a script that automates it for me, happy to share the steps I used later on when I'm back at my PC.

So today I rolled out certificates to all my Rack PDUs (NMC2 AP9538 v6.8.2) and all worked fine with CN as FQDN mypdu.mydomain and SAN with FQDN mypdu.mydomain and hostname mypdu.

I also needed to put a certificate on a SmartUPS (NMC2 AP9631 v6.8.8) as well - and that didn't work. It accepted the certificate as valid (and if you connect via HTTP the SSL cert menu shows the certificate as valid, with it's details) but HTTPS is now broken and I'm no longer able to connect. 

No difference in the process for generating them at all.

I'll try tomorrow leaving off the SAN completely, but this already means that different processes/certificates work for different devices which is terrible!

If it helps anyone, here's what I did for my Rack PDUs using the version of NMCSecurityWizardCLI above (v1.0.0):

Create config file: mypdu.cfg containing:

basicConstraints = CA:FALSE
extendedKeyUsage = serverAuth
keyUsage = keyEncipherment, digitalSignature
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName = DNS:mypdu.mydomain, DNS:mypdu

Then run the following commands:

NMCSecurityWizardCLI --csr -o mypdu-csr -n mypdu.mydomain -c GB -m England -l County -g Org -u Dept -e contact@mydomain

openssl x509 -req -in mypdu-csr.csr -CA myca.crt -CAkey myca.key -CAcreateserial -out mypdu-cert.crt -extfile mypdu.cfg -days 3650

NMCSecurityWizardCLI --import -o mypdu-apc -s mypdu-cert.crt -p mypdu-csr

This gives you a mypdu-apc.p15 file that works with the Rack PDUs.

Hi Cody,

As I've already stated pre-sign certificates are not supported nor are wildcard certificates. This is not going to change in the near to medium term.

-Gavan

If you read back on the posts I had asked you to not comment on other people's issues that were different to yours as their issues could be easily resolved. As you can see Scott's issue was easily resolved. 

I also commented that you could resolve your problem by deploying an internal PKI or CA.

I'm still having absolutely no success with certificates for an NMC2 in a SmartUPS 1500.

I've tried differing combinations of SAN, CN with FQDN/shortname etc without joy.

The PDU accepts the certificate and reports it as valid, however HTTPS connections are immediately reset by the PDU. It's the last device to get working, any help would be appreciated.

Can you post the command that your using to create the cert for the Smart-UPS and also the version of firmware it's on and I can try it hear and help narrow down the cause of the issue?

-Gavan

Create pdu-0.cfg containing:

basicConstraints = CA:FALSE
extendedKeyUsage = serverAuth
keyUsage = keyEncipherment, digitalSignature
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName = DNS:pdu-0.mydomain.net, DNS:pdu-0

Then running the commands:

NMCSecurityWizardCLI --csr -o pdu-0-csr -n pdu-0.mydomain.net -c GB -m England -l mytown -g myorg -u myorg-e support@mydomain.com

openssl x509 -req -in pdu-0-csr.csr -CA e:\ca.crt -CAkey e:\ca.key -CAcreateserial -out pdu-0-temp.crt -extfile pdu-0.cfg -days 3650

NMCSecurityWizardCLI --import -o pdu-0 -s pdu-0-temp.crt -p pdu-0-csr

As said I've tried various combinations involved SAN/no-SAN, FQDN, shortname, IP etc. The PDU accepts the certificate and reports "Valid Certificate" in the GUI, but HTTPS issues a reset as soon as the browser sends a TLS Client Hello.

Hi Scott,

You mentions PDU a few time but the application data says SUMX, so I take it the PDU is a mistake and that your actually talking about a Smart-UPS?

Either way I tested this with using the same card and the same firmware details that you have given, try the following:

pdu-0.cfg:

basicConstraints = CA:FALSE
extendedKeyUsage = serverAuth
keyUsage = keyEncipherment, digitalSignature
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName = DNS:pdu-0.mydomain.net

Commands:

NMCSecurityWizardCLI --csr -o pdu-0-csr -n pdu-0.mydomain.net -d pdu-0.mydomain.net -c GB -m England -l mytown -g myorg -u myorg

openssl x509 -req -in pdu-0-csr.csr -CA e:\ca.crt -CAkey e:\ca.key -CAcreateserial -out pdu-0-temp.crt -extfile pdu-0.cfg -days 3650

NMCSecurityWizardCLI --import -o pdu-0 -s pdu-0-temp.crt -p pdu-0-csr

*** Ensure "subjectAltName = DNS:xx.xxxx.xx" matches "-d xx.xxxx.xx" 

I've followed those steps exactly; the certificate is created and imported, but still causes HTTPS to die.

Given this only applies to one UPS (all our others are Rack PDUs which I have working) and the amount of time being spent on this (our CA is in a secure room under dual control, so is a manual task) I've decided to just disable HTTPS for now (HTTP is already disabled) and manage it via SSH, enabling HTTPS only for the times it's required.

There's no error messages (in fact even when HTTPS is broken, the UPS GUI reports the certificate is valid) and no logging.

APC really need to consider getting their act together with regards to certficate handling. It's terrible, no other device I've come across is this much of a pain. It's really not what you would consider an enterprise class device in that regard.

Hi Scott,

I've sent an email to you directly (provided the email given at sing-up is correct), I can help you do some more troubleshooting that you might not want put on a public forum.

-Gavan

Hi,

Thanks for the offer - I've actually managed to resolve this myself this morning. Seems NTP traffic was being blocked and the UPS date/time had got a couple of days behind.

Fixed NTP and all is well now!

Regards,

Scott

Try using this version (1.0):

https://schneider-electric.box.com/s/sxlkk4nljylwnyjzno3trr1ilvz46e1r

I believe the newer v1.1 has some issues with the formatting of the files, so using v1.0 makes it easier - especially if you're scripting it.

Hi Timothy,

Can you try this guide:

https://schneider-electric.box.com/shared/static/np70ytdetyghut1hc1kpu7fw2mwi3yof.pdf

With this version of the software:

https://schneider-electric.box.com/s/ct021cml940zdj50al4zhocjyczf13v8

-Gavan

Good to hear that worked for you!

To answer your question, no that's not something in your control, the NMC2 hardware is starting to show it's age and can no longer keep up with the most modern ciphers, this is in-fact the main reason why the NMC3 has been released.

The NMC2 is still supported and will get updates (for the next year or two, I'm not exactly sure) but it's running close to it max, the NMC3 on the other hand comes with a lot more processing power and will able to keep up with changes in encryption standards for many years.

-Gavan 

This thread is getting hijacked/derailed. If someone has a completely different issue than why is it being posted about here?

I agree with  Cody . It is frankly unacceptable that at this day and age APC doesn't have a method for paying customers to be able to use standard SSL certificates/keys that are accepted pretty much everywhere else. I have never heard of this p15 format until I got this UPS and judging by the extreme lack of tools and documentation on the web, I'd be willing to be most others haven't heard of it either.

It is extremely frustrating that there have been no real solutions given on any of the forum posts made here about this problem. There is no excuse for APC to at least not create some form of conversion tool.

I apologize if I'm coming off strong however I've been dealing with this for hours at this point and the only thread I found with any hope left has been derailed with a completely different issue.

Hi Noah,

With the exception of Cody everyone else who has posted here has been given a solution to their problem and there is literally four links to a step by step guide with every step "screenshotted". 

If you just post what your issue is then I'll be happy to help you.

-Gavan  

So on my network there is a central server running certbot that issues and pushes Let's Encrypt signed HTTPS certs to local devices. What I need to do is to be able to have certbot issue and automatically apply a cert for my NMC.

What I have tried:

• Using 3rd party tools such as this one to convert the PEM files from certbot into p15 files for the NMC. This fails with an error while attempting the conversion.
• Running the APC CLI tool in Wine and passing the csr to certbot using the "certonly" command. Now this process does output a p15 that is uploadable to the NMC. But once applied I can no longer connect to it via HTTPS and keep getting "PR_CONNECT_RESET_ERROR". In addition to not being able to connect, there is no proper way to setup automatic renewals with certbot where the CSR can be passed. However this may be able to be bypassed by having it reuse the private key.

The end goal is to have automatic cert renewals on my certbot server for the NMC. What I really would like is the ability to pass a private key, cert, and CA chain file without needing to deal with CSRs. However if that is not possible I'd at least like to figure out why I'm getting this connection reset error.

Thank you for your time.

Check the time is right on your NMC. That caught me out!

Have you considered just using an internal CA?

It takes about 10-15 minutes to set one up using OpenSSL (since your using Linux) and will allow you to set you're own validity period? I mean what's better than auto renewal, never needing to renew and really the only reason you'd use an externally signed certificate is if you plan on have the server be publicly accessible and under no circumstance could I ever recommend an NMC being exposed to the Internet in that way.

-Gavan

That was it. Thanks!

I've thought of it however my network is setup where multiple devices can access different services via HTTPS and I can't necessarily change the certificate store on those devices.

Hi Noah,

If you find a way to automate the creation of the certificates then this might be useful to you.

The upload process can be automated by using FTP/SCP to connect to the NMC and placing the signed .p15 file in the SSL directory. You don't need to delete the existing cert it will be automatically overwritten.

One thing to watch is that the certs name needs to be in the 8.3 format, I can't remember if the NMC needs to be rebooted afterwards but it's just an SSH command to reboot them.

-Gavan

Thank you for the advice.

I got a system working I'm happy with. For the sake of others who come here I'll put some more info below.

• I use Certbot on CentOS 8. If you use another ACME client there's a good chance there's functionality for auto-renewal of CSR based certs already built-in.
• I already have a domain on auto-renewal so I can just use post hooks to create and sign the cert for the NMC. If you're using Certbot just for the NMC, then I suggest you switch to another ACME client as mentioned above.
• Wine is needed to run the NMC tool. If you're on CentOS like me Red Hat has made it a giant pain as in their infinite wisdom they decided to not keep 32-bit versions in their repos. I wound up using the Raven Extras repo and manually installed the i686 version of wine, wine-core, etc.

1. Create the following directories: "/etc/letsencrypt-APC", "/var/log/letsencrypt-APC", and "/var/lib/letsencrypt-APC" with the reason being certbot won't run multiple instances at the same directories and this script will be ran from a post-hook.
2. Run "cp -r /etc/letsencrypt/accounts /etc/letsencrypt-APC"
3. Create the directory "/etc/letsencrypt-ATC/live/"
4. Create the script /etc/letsencrypt/renewal-hooks/post/APC and fill with 

#!/bin/bash

if [[ $RENEWED_DOMAINS == *"DOMAIN"* ]]; then
  /usr/bin/rm -f /etc/letsencrypt-APC/live/DOMAIN/*
  cd /opt/APC
  /usr/bin/wine /opt/APC/NMCSecurityWizardCLI.exe --csr -o Z:\\etc\\letsencrypt-APC\\live\\DOMAIN\\APC-unsigned -c US -g ORG -n DOMAIN 2>/dev/null
  /usr/bin/certbot certonly -n --config-dir /etc/letsencrypt-APC --work-dir /var/lib/letsencrypt-APC --logs-dir /var/log/letsencrypt-APC --cert-path /etc/letsencrypt-APC/live/DOMAIN/APC-signed.pem --fullchain-path /etc/letsencrypt-APC/live/DOMAIN/APC-signed-fullchain.pem --chain-path /etc/letsencrypt-APC/live/DOMAIN/APC-signed-chain.pem -d DOMAIN --csr /etc/letsencrypt-APC/live/DOMAIN/APC-unsigned.csr
  /usr/bin/wine /opt/APC/NMCSecurityWizardCLI.exe --import -o Z:\\etc\\letsencrypt-APC\\live\\DOMAIN\\APC-signed -s Z:\\etc\\letsencrypt-APC\\live\\DOMAIN\\APC-signed-fullchain.pem -p Z:\\etc\\letsencrypt-APC\\live\\DOMAIN\\APC-unsigned 2>/dev/null
  /usr/bin/sshpass -p "apc" /usr/bin/scp /etc/letsencrypt-APC/live/DOMAIN/APC-signed.p15 apc@UPS:/ssl/default-cert.p15
  /usr/bin/sshpass -p "apc" /usr/bin/ssh apc@UPS 2>/dev/null << EOF
    reboot -Y
    exit
EOF
fi

Note that it needs to have perms to be executable. In addition to wine and certbot of course you will need sshpass and NMCSecurityWizardCLI.

This certainly isn't an exact tutorial by any means but I at least wanted to provide my script and some insight considering how difficult this was for me to figure out.

This can be done with wildcard domains if you want. The NMC utility doesn't seem to do anything with chain certs. Fortunately most modern browsers will find the chain in their own store.

Feel free to ask with any questions!

That is some stellar work!