Uploading Private SSL Certificates

Anonymous user · ‎2021-06-30

For years now, many individuals have been asking to upload their private Secure Sockets Layer (SSL) Certificates to their Network Management Cards (NMC):

Some of these forums are older than a decade of individuals asking how to upload their private SSL certificates. After around of month of talking to support staff and researching the topic, there does not seem to be any resolution to this issue. In my last support case, Jeff Bill said that he would pass my case to the (Presumably Software) Engineers for review. I am creating this thread to show that this change will benefit not only myself but also others that use the Schneider Eclectic array of products. Please reply with why you would be in support of this change.

My Why:
Uploading a private SSL to our MNC's will allow for a more cohesive Information Technology (IT) environment. The change will eliminate the annoying security warning that appears when attempting to log into the NMC's and strengthen a security posture within a given IT environment. Because of the versatility of modern SSL certificates (Ex. a Wildcard certificate that covers numerous sub-domains), there is no reason that the NMC should be locked down in this modern era.

My question is, when should we expect to see this change be implemented?

Anonymous user · ‎2021-06-30

I have been following this thread and many others and have been experiencing the same issues while using a Microsoft PKI. I would like to try the 1.0.0 version of the CLI utility but the link appears to be removed. Would it be possible to get a new link to it?

BillP · ‎2021-06-30

Yeah sure, this link has an expiry of 31/12/2020.

https://schneider-electric.box.com/s/ct021cml940zdj50al4zhocjyczf13v8

I'll go back and update my previous links too.

-Gavan

Anonymous user · ‎2021-06-30

Hi mate,

Do you have any advice on this or could you direct me towards where I could download the APC Security Wizard? I cannot find it anywhere.

Many thanks!

Anonymous user · ‎2021-06-30

On 9/7/2020 4:22 AM, Gavan said:
Yeah sure, this link has an expiry of 31/12/2020.

https://schneider-electric.box.com/s/ct021cml940zdj50al4zhocjyczf13v8

I'll go back and update my previous links too.

-Gavan

Thanks, ver 1.0.0 worked without issue. Was able to apply a cert to both of my Galaxy units.

BillP · ‎2021-06-30

Try this:

https://schneider-electric.box.com/s/s54qucbvxbe9qrd32vrqrwkre31e1uaz

-Gavan

Anonymous user · ‎2021-06-30

Aww gez. Sorry I went dark there. Got totally distracted on other projects. Gavan, mind sharing that link again?

Cheers!

BillP · ‎2021-06-30

No worries:

https://schneider-electric.box.com/s/n6gplu3huj8b8laicqtephlcjophgc7k

Good for another week.

-Gavan

Anonymous user · ‎2021-06-30

Hi Gavan,

Just spent hours trying to set up https/ssl but always ran into the following error with version 1.0.1 of NMCSecurityWizardCLI from the website:

Unhandled Exception:
cryptlib.CryptException: -3: Bad argument, parameter 3
[...]

Guessing from the former posts I might need the alternative program version of your last posts... but unfortunately all links are no longer valid:(

Could you please share it again?

Thank you very much,
Sven

BillP · ‎2021-06-30

Hi Sven,

Those links should still be valid they don't expire until the 31/12/20, maybe try again:

https://schneider-electric.box.com/s/ct021cml940zdj50al4zhocjyczf13v8

The other thing to note is that the -3 error can be causes if the DNS name is less that 7 characters long, it should be an FQDN anyways so it shouldn't be to hard to make it longer than 7.

-Gavan

Anonymous user · ‎2021-06-30

Hi Gavin,

Thank you very much! It worked like a charm with the alt. binary.

Kind regards,
Sven

DKGame_apc · ‎2021-06-30

I'm also having issues on a new 9640 NMC 3 running the latest firmware.

Pretty much all of our other UPSs have NMC 2 in, and this procedure works fine for those...

1) Generate CSR with NMCSecurityWizardCLI e.g.:

NMCSecurityWizardCLI --csr -o Certs\\ -n . -c GB -m Norfolk -l Gorleston -g "James Paget University Hospitals Trust" -e -i https://domain.name -d -a -k 2048

2) Then I take the CSR file from stage 1 and in the web interface of our Cert Authority, request a new signed cert. This then downloads a .cer file which I move to the same folder as the CSR and original P15 generated in stage 1.

3) Then run NMCSecurityWizardCLI to merge the original P15 and CER files to a -pub .p15 file which gets uploaded to the NMC.

NMCSecurityWizardCLI --import -o Certs\\-pub -s Certs\\.cer -p Certs\\

I then use the Web interface of the NMC to import the new SSL cert. it uploads, and shows in the console if I look into the contents of /ssl, however even though it states "Valid Certificate" - when I click on that link in the NMC, it shows me the self-signed one again.

It only fails like this on this new NMC3 running 1.4.2.1 but the older NMC2 cards with 6.9.6 on work fine.

Anyone got any ideas?

BillP · ‎2021-06-30

Hi David,

If you upload a text file with the exact command used to create the cert (with the actual value), the unsigned .p15 file, the CSR, the cer/crt response from your CA and the signed .p15 to the folder below I can have a look for you:

https://schneider-electric.app.box.com/f/f0022147b18c4fc897394c8c654f9407

-Gavan

tonyc_apc · ‎2021-06-30

Hi Gavan,

I am having the same issue. I have used the NMC utility to generate a CSR and p15 key, then signed the cert with our CA, then used the NMC utility to import the cert and p15 key file and create a p15 cert file. When I run this I get the following error:

Unhandled Exception: cryptlib.CryptException: -3: Bad argument, parameter 3
at NMCSecurityWizardCLI.Program.ImportSignedCSR(String sCertFile, String sKeyFile, String sOutFile)
at NMCSecurityWizardCLI.Program.Main(String[] args)

Can you tell me what is going wrong here?

Thank you for any help,

Tony

DKGame_apc · ‎2021-06-30

You need to ensure you're using version 1.0 of the tool. 1.1 doesn't work! I had the same issue when I first started doing this.

With regards to my issue - it was odd but the certificate "took" after the 3rd or 4th attempt at uploading it to the NMC.. I suspect a software issue!

tonyc_apc · ‎2021-06-30

Thank you, where can I find v1.0 ?

Tony

tonyc_apc · ‎2021-06-30

All the previous drop box links to v1.0 are expired Gavan can you put it out there again please???

Thank you,
Tony

tonyc_apc · ‎2021-06-30

Hello Gavan, could you please post the links to ver 1.0.0 of the NMC utility again?

thank you,
Tony

Anonymous user · ‎2021-06-30

I'd also very much like to have v1.0.0

I got ever so slightly closer to a working certificate with v1.0.1 but it seems I'm at a total loss without rolling back to v1.0.0

ScottBUK · ‎2021-06-30

If there are no objections then I don't mind putting v1.0.0 up somewhere.

ScottBUK · ‎2021-06-30

Mods I will remove if requested, but to help people out who are having difficulty I've stuck v1.0.0 on Google Drive:

https://drive.google.com/file/d/1r9BUkOnJsdjhqE1h3VqDTk7ptsr6PpUl/view?usp=sharing

Anonymous user · ‎2021-06-30

Cheers Scott - nice one 🙂 I'll let you all know how I get on

tonyc_apc · ‎2021-06-30

Yes thank you Scott, we don't need a .dll file along with the exe you uploaded do we?

ScottBUK · ‎2021-06-30

Ah yes, forgot cryptlib. Reuploaded with both:

https://drive.google.com/file/d/1tspu3Nf-wtqvp0CKnvAfiSB0PgYsadES/view?usp=sharing

tonyc_apc · ‎2021-06-30

great, thank you!

Anonymous user · ‎2021-06-30

Oh I just renamed the .exe to something else and used the dll files from v1.0.1, turns out they are inter-operable.

v1.0.0 worked for me, just got my first cert signed and loaded on the UPS so just a another 30 odd to do but very happy there is a solution!!

Cheers all!

BillP · ‎2021-06-30

Hey All,

Sorry I was on leave, here a new link for future reference:

https://schneider-electric.box.com/s/2vetd44vxp24j9dudcsupro52xjbq4dl

-Gavan

tonyc_apc · ‎2021-06-30

Thank you everyone! Version 1.0 was the trick to getting it to work!

Tony

tonyc_apc · ‎2021-06-30

Hi Gavan,

Now I am having trouble getting a cert to load on a SmartUPS-1500 with a NMC2 card. I am able to create the .p15 cert ok, after I upload it in the webui, it just keeps saying "loading certificate" eventually the default cert gets regenerated but it keeps saying "loading certificate" until I reboot the nmc. What am I doing wrong?

Tony

ScottBUK · ‎2021-06-30

Have you checked if the date/time are correct on the UPS?

tonyc_apc · ‎2021-06-30

Hi Scott,

yeh I have it connected to our ntp server 😕 I saw your earlier post about time and was hoping that was it , but no unfortunately.

thank you,
Tony

tonyc_apc · ‎2021-06-30

GMhoJVcxfqwP1PkgCihFnQ%3D%3D.png

This is what I get every time I tried to upload a new cert to any of my 9630 NMC2 cards running 6.4.0 or 6.9.6, doesn't matter what version. Same cert works fine on my 9640 NMC3 card. Help!

Thank you,
Tony

BillP · ‎2021-06-30

Hmm, if it works fine on your NMC3 cards but not your NMC2 cards then it might be to do with the security used.

The NMC2 supports certificates up to SHA256RSA, 2048 bit key length and no intermediate certificates.

I can review them if you'd like? Just upload the the unsigned .p15 file, the CER/CRT response from your CA, the signed .p15 file and a text file with the commands you used to the link below:

https://schneider-electric.app.box.com/f/9eb2a0a65ead4f40991eada42446358d

-Gavan

tonyc_apc · ‎2021-06-30

Hi Gavan, sorry for the late response I had other issues happening that I had to address. When I look at the certificate that was generated in the chain there are 2 certs, our Root CA(which is turned off) and our Sub CA which actually signed it. So I assume this sort of setup wouldn't work? RCA-->SCA-->Cert ?

Thank you,
Tony

BillP · ‎2021-06-30

It depends, sometimes you can edit the CER/CRT, file remove the intermediate cert and everything will work.

Open it in notepad
Remove everything before -----BEGIN CERTIFICATE-----
Remove everything after -----END CERTIFICATE-----
Save
Create a new .p15 file by combining the modified cer/crt with the original .p15 file
Upload and test

tonyc_apc · ‎2021-06-30

Hi Gavan,

So I looked at the signed cert I got from our SCA and in it there is only one entry "begin cert" then "end cert". When I look at the cert using windows it shows this as the chain:

uL78Igy7R4aq6mLwHV%2BezA%3D%3D.png

top being our RCA the middle the SCA and then the actual cert on the bottom. I also checked its using Sha256rsa. Any other thoughts? Thank you for your help!!

Tony

BillP · ‎2021-06-30

If you want to upload all the files I requested earlier to the box link I can have a more detailed look.

-Gavan

Anonymous user · ‎2021-06-30

We're generating CSR's and private key's using NMC Security.
The CSR's are being sent to our in-house Microsoft CA.
The CA signed cert and the original private key from the CSR generation are imported using NMC Security.
Attempting to upload and apply the certificate returns "no certificate installed".

Model Number: AP7723

Version: v3.9.2

tonyc_apc · ‎2021-06-30

Hi Gavan,

I wanted to let you know that once I switched to a 2 year certificate from a 5 year template the NMC2 card accepted the certificate. As far as I can tell that was the only difference between the 2 cert templates on our MS CA server. Our NMC3 card will accept the 5 year certificate though! Go figure!

Tony

Anonymous user · ‎2021-06-30

Hey, Did you finally get an answered? I'm having the same issue and is very frustrating.

tonyc_apc · ‎2021-06-30

Yes, 2 things that I needed to know 1) you need version 1.0 of their nmcli wizard to convert your cert to p15 format. 2) if you are using NMC2 cards make sure the cert you generate is 2 years, if NMC3 5 year is ok. Thats about all I know, but at least it got the certs installed on my management cards! HTH

Tony

Anonymous user · ‎2021-06-30

I upgraded the UPS to 6.9.6, and use the 1.0 NSW CLI, The process for generate the key runs smooth and confirm the p15 generate successful but when I try to upload to UPS takes forever.

QqjGP4Un2KPIXG0fLvf5kw%3D%3D.png

iKwdotKELh0k6EOnr7gjmg%3D%3D.png

tonyc_apc · ‎2021-06-30

What is the length of the cert you created on your CA?

tonyc_apc · ‎2021-06-30

Let me clarify, was it a 1 year 2 year, 3 year etc?

Anonymous user · ‎2021-06-30

Is Two Year, length the Key I'm using is 2048.

tonyc_apc · ‎2021-06-30

Ok, NMC2 or NMC3 management card?

Anonymous user · ‎2021-06-30

Is a NMC2 integrated to the UPS.

Anonymous user · ‎2021-06-30

I have installed 30+ certs on NMC2 cards, AP9630 without any issues. We have started to move to NMC3, AP9640, cards and can't seem to get a cert to load. Used the exact same process:

Create .CSR file using NMCSecurityWizard v1.0.0
- NMCSecurityWizardCLI --csr -o timtestsignreq -n device-1.company.com -c US -l "Some City" -g "Companiy" -u "Team Name" -e email@company.com -a 192.168.0.20 -i https://device-1 -d device-1
Go to our internal Cert Auth and create cert using the .csr file dropping everything before and after the Begin and End Cert
Copy .CER to the same folder as the .p15 created in Step 1 above and run the following
- NMCSecurityWizardCLI --import -o upsnewcert -s device-1.cer -p timtestsignreq
  - Results log show it completed without error
Login to UPS and attempt to upload the upnewcert.p15 file
- It spins for a few seconds and the completes
- Check the Cert, it is still the self-generated APC cert
SSH to the UPS and the /ssl folder contains the upsnewcert.p15 file

Any idea why the it does not seem to recognize the cert in the ssl folder?

BillP · ‎2021-06-30

Hi Tim,

Upload the cert via the NMC web interface, the usual way.

Then, can you try to SSH to the NMC3 and issue this command?

ssl key -i ssl/certificate-name.p15

Once you have done the above, run this command to see if the cert is loaded correctly.

ssl cert -s

Please let me know how this goes for you.

Anonymous user · ‎2021-06-30

That did it! Thank you!

Anonymous user · ‎2021-06-30

7h2pUi1mDhA%2FSk6l7I1LJw%3D%3D.png

This is what I get every time I tried to upload a new cert NMC2 cards running 6.9.6, doesn't matter what version. Help!

Thank you,