Uploading Private SSL Certificates

Anonymous user · ‎2021-06-30

For years now, many individuals have been asking to upload their private Secure Sockets Layer (SSL) Certificates to their Network Management Cards (NMC):

Some of these forums are older than a decade of individuals asking how to upload their private SSL certificates. After around of month of talking to support staff and researching the topic, there does not seem to be any resolution to this issue. In my last support case, Jeff Bill said that he would pass my case to the (Presumably Software) Engineers for review. I am creating this thread to show that this change will benefit not only myself but also others that use the Schneider Eclectic array of products. Please reply with why you would be in support of this change.

My Why:
Uploading a private SSL to our MNC's will allow for a more cohesive Information Technology (IT) environment. The change will eliminate the annoying security warning that appears when attempting to log into the NMC's and strengthen a security posture within a given IT environment. Because of the versatility of modern SSL certificates (Ex. a Wildcard certificate that covers numerous sub-domains), there is no reason that the NMC should be locked down in this modern era.

My question is, when should we expect to see this change be implemented?

Anonymous user · ‎2021-09-24

I had a client with two AP9537SUM NMC2 (one v6.5.6 and another v.6.6.4) and the v6.5.6 would only accept the p15 file created with your method using openssl. The v6.6.4 worked fine with a p15 using NMCCLI together with a Windows Server 2019 CA generating the der base64 certificate per this method posted by Mike Shellenberger.

APC SSL creation with Microsoft PKI

I was just about to give up on the v6.5.6...

Thanks for sharing this.

ashish_zd · ‎2022-01-17

This worked perfectly for me!!

I only made change in the DNS.2 to IP.1 = 192.168.240.6 (i.e, management ip of nmc) in subjectAlternateName. This way, the certificate will not show any warning even when accessed by IP address.

Also, had to set the NTP or manually adjust date/time to exact as one post mentioned it, other wise nmc will not be accessible on https:// (you will have to do telent/ssh and enable http, if it is disabled). So the first thing should be to set ntp or date/time correctly.

jabo35810 · ‎2022-01-28

I see several pieces of this post that reference wildcard certs not being supported. i would like a little clarification on that. Would a wildcard cert work if you generated the csr and private key from apc security wizard cli, got the cert signed by a private ca, then married the cert to the key file back in the security wizard? Just trying to get some clarification. Also....I noticed in my older apc network cards they would accept a cert I generated like this that had about 100 SAN entries. The 9641 cards don't accept the same cert. (It is a .p15 generated through apc security wizard cli as well) Thank you in advance.

ssmith1 · ‎2022-09-09

Have used the suggestions in this thread and get the same:

Unhandled Exception: cryptlib.CryptException: -3: Bad argument, parameter 3
at NMCSecurityWizardCLI.Program.ImportSignedCSR(String sCertFile, String sKeyFile, String sOutFile)
at NMCSecurityWizardCLI.Program.Main(String[] args)

MrPuch · ‎2022-11-30

Hello together,

yesterday I also struggled also with the SSL Certificates for NMC3, AP9640/AP9641. Reading through this thread I could solve most of the problems, many thanks to all who contributed so far!

First of all:

I used NMCSecurityWizard v1.0.0 (thanks to @ScottBUK for the Link to Google-Drive hier https://community.se.com/t5/APC-UPS-Data-Center-Enterprise/Uploading-Private-SSL-Certificates/td-p/3...), because v1.0.1 produces the following error as reported several times:

Unhandled Exception: cryptlib.CryptException: -3: Bad argument, parameter 3
at NMCSecurityWizardCLI.Program.ImportSignedCSR(String sCertFile, String sKeyFile, String sOutFile)
at NMCSecurityWizardCLI.Program.Main(String[] args)

Finally I get stucked at a very similar problem @Anonymous user reported.

I managed to create a CSR and got it signed from my CA. After that I was also able to import it using "NMCSecurityWizardCLI --import" and results log show it completed without error.

BUT: Login to UPS and attempt to upload the newcert.p15 file the browser (I tried 3 different) spins for a few seconds and then it completes but the Cert is still the self-generated APC cert.

In contrast to @Anonymous user report looking via SSH on the UPS in the directory /ssl folder there is no newcert.p15 file.

So I tried uploading it using ftp (which is successful) but the command ssl key -i ssl/certificate-name.p15 as suggested by @BillP just failed also ssl cert -i ssl/certificate-name.p15 The same command without the leading directory "ssl" did also not work. Both commands are from "Command Line Interface Guide".

I've seen that @DKGame_apc reported this problem, too with NMC 3 on firmware version 1.4.2.1. I'm on firmware 2.3.1.1 (latest at the moment)

Has anyone a suggestion why the successful generated certificate is not importable into AP9640/AP9641?

Did anyone managed to upload a third party signed Certificate to NMC3 AP9640/AP9641?

Kind regards

DKGame_apc · ‎2022-11-30

Here's the instructions I wrote for my colleaguies.

1) Create the Certificate Signing Request in NMCSecurityWizard:

NMCSecurityWizardCLI -csr -o UPSName.csr -n upsname.ourdomain.co.uk -c GB -m County -l Town -g "Our organization name" -e ouremail@ourdomain.com -i https://upsname.ourdomain.co.uk -a UPSIPAddress -k 2048

Obviously substituting the generic info there for our real domain, hostname, address details and IP address etc.

2) Generate a signed cert on our certificate server using the WEB-2048 option. Download the signed certificate in ..CER format.

You should now have the following files

the original .CSR and a.P15 file, as well as the .CER file which may or may not be named correctly. Rename it to UPSName.cer

3) Now run NMCSecurityWizardCLI again to merge the .P15 and the .CER file into a properly signed certificate that the UPS will recognize.

NMCSecurityWizardCLI --import -o UPSNamePub -s UPSName.cer -p UPSName.p15

The UPSNamePub file (I think it's a .CER extension) is what you import into the UPS.

Hope this helps.

MrPuch · ‎2022-11-30

Hello @DKGame_apc

thanks for your response. That what you wrote in 1) ist exactly what I did. OK, I skipped the parameter "-i" and "-e" in the signing request but they should be optional and now showstopper.

for 2) I have an external toolchain where I get a .pem certificate from our CA

and 3) (combining the signed certificate with the original key) work also smoothly. The output from NMCSecurityWizardCLI was "Importing certificate 'newcert' has successfully completed." The output is not .CER extension but .p15

-> finally importing this file into the UPS simply don't work. The web frondend doesn't even provide an error message, the eventlog is also empty regarding the import. I've opened a case at apc to see what the report.

PPvD · ‎2022-12-09

Hello,

I can't see the forest through the trees anymore, there are so many threads regarding this issue 😞

I too have "some challenge" adding certificates that have been generated by our internal Microsoft CA to our UPS devices. We recently received a new UPS (AP9640) and flashed the NMC 3 to the latest firmware version "apc_hw21_su_2-3-1-1". I thought I would give it another go but to this point without success. What I have done so far:

Generate a CSR file using the command:

NMCSecurityWizardCLI.exe --csr -o UPS-00001CSR -n UPS-00001.internal.domain -c NL -m NB -l NLD -g "Company Name" -u "Information-Technology" -e no-reply@company.com -a 10.10.10.10 -i https://UPS-00001.company.com -d UPS-00001.company.com

I then processed this .csr on our internal CA and placed the .cer into the same folder as the .p15 and .csr file (I tried both the DER encoded as the BASE64 encoded certificate since I have no idea which one it wants)

I then run the tool again to create the .p15 file that you need to upload to the UPS:

NMCSecurityWizardCLI.exe --import -o UPS-00001SSLCert -s UPS-00001.company.com.cer -p UPS-00001CSR

The tool completes:

NMC Security Wizard Command Line Utility v1.0.0
(c) Copyright 2018 Schneider Electric. All rights reserved.
-----------------------------------------------------------------------------
Certificate's Issuer Information:
Common Name: <internal CA>

Certificate's Subject Information:
Common Name: UPS-00001.company.com
Country: NL
State/Province: NB
Locality: NLD
Organization: Company Name
Organizational Unit: Information Technology
Valid From: 12/09/2022 (GMT)
Valid To: 12/06/2032 (GMT)

Certificate's General Information:
Serial Number: <Serial>
SHA1 Thumbprint: <Thumbprint>

[*] Importing certificate 'UPS-00112SSLCert' has successfully completed.

When I then import the certificate nothing happens, when I verify which certificate is active it shows me the self-signed certificate.

I do have a suspicion... our internal CA signs certificates using signature algorithm sha512RSA and signature hash algorithm sha512 and I think the NMC 3 is not able to handle this but I cannot seem to find any information that can verify my theory?

MrPuch · ‎2023-02-02

Hello together,

thanks @PPvD for your hint with the signature algorithm! Thanks to that and an additional hint I got in-between from my support call at schneider-electric I was (most probably) able to narrow the problem down.

In short: your suspicion is right.

The long story: The support analysed my signed certificate and told me that they have identified a SHA384 and that I should try a SHA256. Since I'm not able to change the signing algorithm from our CA (GEANT) I tried to understand why it should become better when SHA256 is used. Then I remembered that APC uses cryptlib and no OpenSSL for handling Secure Sockets Layer-Certificates. First time I read this somewhere in a different forum but it can also be seen from the often mentioned exception of NMCSecurityWizard v1.0.1 (see above with "cryptlib.CryptException").

Luckily "cryptlib is distributed under a dual license that allows free, open-source use under a GPL-like license and closed-source use under a standard commercial license." The open-source version can be found on this website and thus I did a dive into the details. While the PDF-manual only mentions SHA2/SHA256 "...digest/hash algorithm with a digest/hash size of 256 bits..." a google search for "libcrypt sha384" has as first match the C++ version at github pointing out support for SHA384 and SHA512. To clarify whether the plain C-Code variant is identical in this respect I download the 6.6MB zip-file with source-code and tried to find a proof.

Recursively I found the following:

./crypt/sha2.h

#ifdef SHA_64BIT
# define SHA_384
# define SHA_512
# define NEED_UINT_64T
#endif

OK, we need 64bit for SHA384 and SHA512

#include "crypt.h" /* For USE_SHA2_EXT define via config.h */
#ifdef USE_SHA2_EXT /* pcg */
#define SHA_64BIT
#endif /* USE_SHA2_EXT */

To enable 64bit USE_SHA2_EXT is needed which can be set via config.h

./misc/config.h (and here is the interesting part)

/* As part of the SHA-1 deprecation in 2016, a number of CAs and sites
skipped the obvious SHA-256 and went to SHA-384 or even SHA-512
because they wanted hash functions that go to 11 or even 12. In order
to support this nonsense we unfortunately have to enable the extended
SHA-2's by default, however we don't enable it in limited-memory
environments because the bigger the hash, the larger the code size
and constant tables needed to implement it */

#ifndef CONFIG_CONSERVE_MEMORY
#define USE_SHA2_EXT
#endif /* CONFIG_CONSERVE_MEMORY */

SHA384 and SHA512 and declared as "nonsense" but they are implemented and enabled by default, only in "limited-memory environments" they can be disabled by defining "CONFIG_CONSERVE_MEMORY" at build time.

./makefile (root dir of source) defines CONFIG_CONSERVE_MEMORY for

target-atmel (ARM7 TDMI)
target-emscripten (emscripten, a C-to-Javascript cross-compiler using LLVM)
target-uclinux (ucLinux on ARM: Little-endian)
target-xmk-mb (Xilinx XMK)

I don't know which chips APC is using in AP9640, AP9641, AP9643, etc. but I assume (maybe I should bet) that the cryptlib of APC firmware is build without support for SHA384 and SHA512. The reason can vary of cause from limited memory to small cpu, etc.

However, if libcrypt is the reason why the heck is nowhere within the documentation clearly pointed out that only signing algorithms on SHA2 basis up to 256bit are supported? The "Command Line Interface Guide" for UPS Network Management Card 3 (AP9640, AP9641, AP9643) state the Elliptic Curve Digital Signature Algorithm (ECDSA) with sizes of 256 | 384 | 521 bits and Rivest–Shamir–Adleman (RSA) for public key with a size up to 4096 bits. Although NMCSecurityWizardCLI seems to use RSA SHA256 for signing requests (csr-files) by default SHA2/SHA256 is nowhere mentioned within the documentation!

My conclusion: As long as APC doesn't enable SHA384 / SHA512bit signature algorithm within their libcrypt no customer will be able to successfully import a signed SSL certificate if the CA makes use of that variants. Since there is no error message during import of a certificate to the UPS Network Management Card and no hints within the manual are given many users simply give up (the last surrenders here in the community forum).

Maybe some others here can check now if their signed certificate is using one of the "problematic" signing algorithms, too or (the other way round) if users with a success story always have a certificate with at max SHA256.

Of cause, this documentation is "subject to change" if someone has even more details and I would be glad to hear that I'm wrong by pointing out how to get working setup if the CA only make use of SHA384 / SHA512bit signature algorithms. At the moment of writing in our environment SSL support of UPS Network Management Card 3 is simply broken.

Cheers and all the best.

YvesNr1 · ‎2023-12-31

Could someone please repost the NMC 1.0.0? Always getting the "cryptlib.CryptException: -3: Bad argument, parameter 3" error 😃 thx a lot

gtwallace · ‎2024-02-11

I wrote a free and fully open source tool to replace NMC Security Wizard CLI Utility functionality. It allows you to use standard pem formatted key and certificate to generate a p15 file for the NMC. I even added the ability to directly install the new p15 file via SCP on the NMC.

https://github.com/gregtwallace/apc-p15-tool

Tonkas · ‎2024-05-20

Hi,

thanks for your work. Finally I was able to install a certificate from my PKI to the 9630 card. Works absolutely perfect!

wallacebrf · ‎2024-07-06

There is a new tool which was written to easily allow install of certs for the NMC web interface

https://community.se.com/t5/APC-UPS-Data-Center-Enterprise/SSL-Cert-for-NMC3-Web-Interface/m-p/47630...

Works great for my NMC3 units which up until now I could never get the SSL cert installed

acbd984357 · ‎2024-07-07

Thanks @gtwallace for your tool. That did the trick.

With the self signed cert the NCM3 UI interface was slow and sluggish to navigate. Once I used your tool to import an internally signed cert, the UI amazingly was super responsive to navigate.

It goes without saying that in 2024 that updating a certificate should not have to be this painful. Especially since for us it was only rectified by a third party github hosted tool. This should be provided by the vendor directly.

Pietje · ‎2024-07-08

damm.. wanted to start using SSL on my ups devices. Reading trough all of these comments made me consider. Hopefully there will be a firmware update someday for all NMC cards with a change log that would say "Added ability to use wildcard SSL certificates with own private key, directly upload via web interface".

Will check again in 2 years time..

wallacebrf · ‎2024-07-09

Using @gtwallace tool it is now super easy

I installed my pre signed wild card cert on multiple NMCV3 units quickly and without issue

jseregni · ‎2024-08-08

I am having this issue and would welcome help. I was able to find v.1.0.1 fo the NMC Security Wizard CLI tool. I created a CSR and obtained a default Web server certificate from a Microsoft ADCS CA. When I tried to import the resulting .cer cert using the tool, it threw an exception but yielded a .p15 SSL cer file. The file would not import, however. I read several online posts that said obtaining v.1.0.0 was the answer. I called APC support this morning and opened case number 111006389. An APC technical support representative, named Jeff, email me v.1.0.0. I thought I was home free and told him to close the case. The result with v.1.0.0 is the same as with v.1.0.1. I appears v.1.0.4 of the tool also exists, but I have not been able to find it. I used the tool to create a CA root certificate and an SSL cert. This SSL certificate imported into the NMC successfully, but importing the custom root cert into all my browsers is not a solution. Has anyone succeeded importing an SSL certificate into an NMCv2 using a CSR created by the NMC Security Wizard CLI and an Microsoft Active Directory Certificate Services CA? If so, I would love to know what the trick is to get this to work. Thanks!