Help
  • Explore Community
  • Get Started
  • Ask the Community
  • How-To & Best Practices
  • Contact Support
Notifications
Login / Register
Community
Community
Notifications
close
  • Forums
  • Knowledge Center
  • Events & Webinars
  • Ideas
  • Blogs
Help
Help
  • Explore Community
  • Get Started
  • Ask the Community
  • How-To & Best Practices
  • Contact Support
Login / Register
Sustainability
Sustainability

We Value Your Feedback!
Could you please spare a few minutes to share your thoughts on Cloud Connected vs On-Premise Services. Your feedback can help us shape the future of services.
Learn more about the survey or Click here to Launch the survey
Schneider Electric Services Innovation Team!

Uploading Private SSL Certificates

APC UPS Data Center & Enterprise Solutions Forum

Schneider, APC support forum to share knowledge about installation and configuration for Data Center and Business Power UPSs, Accessories, Software, Services.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
  • Home
  • Schneider Electric Community
  • APC UPS, Critical Power, Cooling and Racks
  • APC UPS Data Center & Enterprise Solutions Forum
  • Uploading Private SSL Certificates
Options
  • Subscribe to RSS Feed
  • Mark Topic as New
  • Mark Topic as Read
  • Float this Topic for Current User
  • Bookmark
  • Subscribe
  • Mute
  • Printer Friendly Page
Invite a Co-worker
Send a co-worker an invite to the portal.Just enter their email address and we'll connect them to register. After joining, they will belong to the same company.
You have entered an invalid email address. Please re-enter the email address.
This co-worker has already been invited to the Exchange portal. Please invite another co-worker.
Please enter email address
Send Invite Cancel
Invitation Sent
Your invitation was sent.Thanks for sharing Exchange with your co-worker.
Send New Invite Close
Top Experts
User Count
BillP
Administrator BillP Administrator
5060
voidstar_apc
Janeway voidstar_apc
196
Erasmus_apc
Sisko Erasmus_apc
112
Teken
Spock Teken
110
View All

Invite a Colleague

Found this content useful? Share it with a Colleague!

Invite a Colleague Invite
Solved Go to Solution
Back to APC UPS Data Center & Enterprise Solutions Forum
Solved
Anonymous user
Not applicable

Posted: ‎2021-06-30 05:07 AM . Last Modified: ‎2024-03-08 03:12 AM

0 Likes
120
41076
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:07 AM . Last Modified: ‎2024-03-08 03:12 AM

Uploading Private SSL Certificates

For years now, many individuals have been asking to upload their private Secure Sockets Layer (SSL) Certificates to their Network Management Cards (NMC):

  • https://community.se.com/t5/APC-UPS-Data-Center-Enterprise/bd-p/datacenter-forum
  • https://community.se.com/t5/APC-UPS-Data-Center-Enterprise/bd-p/datacenter-forum
  • https://community.se.com/t5/APC-UPS-Data-Center-Enterprise/Can-t-Import-SSL-Cert-Into-NMC/td-p/33241...
  • https://community.se.com/t5/APC-UPS-Data-Center-Enterprise/Installing-SSL-on-APC-Smart-UPS-SRT-6000/...
  • https://community.se.com/t5/APC-UPS-Data-Center-Enterprise/bd-p/datacenter-forum

Some of these forums are older than a decade of individuals asking how to upload their private SSL certificates. After around of month of talking to support staff and researching the topic, there does not seem to be any resolution to this issue. In my last support case, Jeff Bill said that he would pass my case to the (Presumably Software) Engineers for review. I am creating this thread to show that this change will benefit not only myself but also others that use the Schneider Eclectic array of products. Please reply with why you would be in support of this change.

My Why:
Uploading a private SSL to our MNC's will allow for a more cohesive Information Technology (IT) environment. The change will eliminate the annoying security warning that appears when attempting to log into the NMC's and strengthen a security posture within a given IT environment. Because of the versatility of modern SSL certificates (Ex. a Wildcard certificate that covers numerous sub-domains), there is no reason that the NMC should be locked down in this modern era.

My question is, when should we expect to see this change be implemented?

Labels
  • Labels:
  • UPS Management Devices & PowerChute Software
  • Tags:
  • certificates
  • information
  • NMC
  • security
  • ssl
  • upc
Reply

Link copied. Please paste this link to share this article on your social media post.

  • All forum topics
  • Previous Topic
  • Next Topic

Accepted Solutions
ScottBUK
Ensign ScottBUK
Ensign

Posted: ‎2021-06-30 05:09 AM . Last Modified: ‎2024-03-08 03:09 AM

0 Likes
0
31479
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:09 AM . Last Modified: ‎2024-03-08 03:09 AM

Hi Gavan,

That (older) version of NMCSecurityWizardCLI works. You might want to make that more easily accessible!

A note regarding the configuration of the certificates that someone else will hopefully find useful one day - I set keyUsage to keyEncipherment and digitalSignature. Enabling keyAgreement and/or nonRepudiation caused the PDU to get stuck 'Loading certificate...'

Also make sure you have a subjectKeyIdentifier.

Regards,

Scott

See Answer In Context

Reply

Link copied. Please paste this link to share this article on your social media post.

tonyc_apc
Ensign tonyc_apc
Ensign

Posted: ‎2021-06-30 05:13 AM . Last Modified: ‎2024-03-08 03:00 AM

0 Likes
0
43701
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:13 AM . Last Modified: ‎2024-03-08 03:00 AM

Hi Gavan,

     I am having the same issue.  I have used the NMC utility to generate a CSR and p15 key, then signed the cert with our CA, then used the NMC utility to import the cert and p15 key file and create a p15 cert file.  When I run this I get the following error:

Unhandled Exception: cryptlib.CryptException: -3: Bad argument, parameter 3
at NMCSecurityWizardCLI.Program.ImportSignedCSR(String sCertFile, String sKeyFile, String sOutFile)
at NMCSecurityWizardCLI.Program.Main(String[] args)

Can you tell me what is going wrong here?

Thank you for any help,

Tony

See Answer In Context

Reply

Link copied. Please paste this link to share this article on your social media post.

Replies 120
  • « Previous
    • 1
    • 2
    • 3
  • Next »
BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-06-30 05:08 AM . Last Modified: ‎2024-03-08 03:12 AM

0 Likes
1
31480
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:08 AM . Last Modified: ‎2024-03-08 03:12 AM

Hi Cody,

There is a feature request to change the way SSL certificates are handled by the NMC but no clear time frame on its implementation. In the mean time I'd be happy to help you with your issue.

Do you already have a support ticket open, if so can you provide me the case number?

-Gavan

Reply

Link copied. Please paste this link to share this article on your social media post.

Anonymous user
Not applicable

Posted: ‎2021-06-30 05:08 AM . Last Modified: ‎2024-03-08 03:12 AM

0 Likes
1
31480
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:08 AM . Last Modified: ‎2024-03-08 03:12 AM

My current issue is that I would like to use an already signed wildcard certificate for our NMC's. What is the next step to proceed? I already tried using the Security Wizard CLI to no avail.

Reply

Link copied. Please paste this link to share this article on your social media post.

BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-06-30 05:08 AM . Last Modified: ‎2024-03-08 03:11 AM

0 Likes
0
31480
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:08 AM . Last Modified: ‎2024-03-08 03:11 AM

Hi Cody,

Sorry at present this is not possible, neither pre-signed certificates nor wildcard certificates are supported, you can only use certs that have been created by the security wizard.

The process is you create a CSR and private key with the security wizard, sign the CSR with your internal or corporate CA and finally combine the signed request with the private key using the security wizard.

If you require any help with this process, please let me know.

-Gavan 

Reply

Link copied. Please paste this link to share this article on your social media post.

Anonymous user
Not applicable

Posted: ‎2021-06-30 05:08 AM . Last Modified: ‎2024-03-08 03:11 AM

0 Likes
0
31480
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:08 AM . Last Modified: ‎2024-03-08 03:11 AM

Is there a way us consumers can see the progress on when that feature will be implemented? Its been a topic of conversation for some time as indicated by some of the posts.

Reply

Link copied. Please paste this link to share this article on your social media post.

BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-06-30 05:08 AM . Last Modified: ‎2024-03-08 03:11 AM

0 Likes
0
31480
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:08 AM . Last Modified: ‎2024-03-08 03:11 AM

Unfortunately not, even with the request submitted there is no guarantee that it will be accepted and no time-frames are provided. Also this would not be a very high priority request that would require a huge rework in the SSL system. 

  

Reply

Link copied. Please paste this link to share this article on your social media post.

Anonymous user
Not applicable

Posted: ‎2021-06-30 05:08 AM . Last Modified: ‎2024-03-08 03:11 AM

0 Likes
0
31480
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:08 AM . Last Modified: ‎2024-03-08 03:11 AM

How long has the request been submitted for? Are there any Service-Level Agreements (SLA) established for support requests and if so, what are those?

Reply

Link copied. Please paste this link to share this article on your social media post.

Anonymous user
Not applicable

Posted: ‎2021-06-30 05:08 AM . Last Modified: ‎2024-03-08 03:11 AM

0 Likes
0
31480
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:08 AM . Last Modified: ‎2024-03-08 03:11 AM

Hey Gavan,

Just wondering if you have any update on the SLA requirements on the software development team?

Reply

Link copied. Please paste this link to share this article on your social media post.

BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-06-30 05:08 AM . Last Modified: ‎2024-03-08 03:11 AM

0 Likes
0
31480
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:08 AM . Last Modified: ‎2024-03-08 03:11 AM

Hi Cody,

There is no SLA, this is an enchantment request not a support request and not a high priority one as there is currently a way to add certificates to an NMC2.

As I've said previously if you'd like to learn how to use our current tools I'd be happy to help.

-Gavan 

Reply

Link copied. Please paste this link to share this article on your social media post.

Anonymous user
Not applicable

Posted: ‎2021-06-30 05:08 AM . Last Modified: ‎2024-03-08 03:11 AM

0 Likes
0
31480
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:08 AM . Last Modified: ‎2024-03-08 03:11 AM

Thank you for the offer Gavan, but I have already used the Security Wizard SLI to create a self-signed certificate for our devices. My main goal is to get rid of the annoying security warning when attempting to connect to Network Management Cards (NMC), which could be done with the certificates we purchased.

Reply

Link copied. Please paste this link to share this article on your social media post.

Anonymous user
Not applicable

Posted: ‎2021-06-30 05:08 AM . Last Modified: ‎2024-03-08 03:10 AM

0 Likes
0
31478
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:08 AM . Last Modified: ‎2024-03-08 03:10 AM

Gavan,

Does the Network Management Card 3 (NMC 3) have the ability to upload private SSL certificates?

Reply

Link copied. Please paste this link to share this article on your social media post.

BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-06-30 05:08 AM . Last Modified: ‎2024-03-08 03:10 AM

0 Likes
0
31478
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:08 AM . Last Modified: ‎2024-03-08 03:10 AM

The NMC3 uses the same process as the NMC1 and NMC2.

Have you considered deploying an internal CA, here's a great guide on how to do it with Windows Server: https://www.starwindsoftware.com/blog/using-the-microsoft-certificate-authority-to-get-rid-of-those-...

There is similar guides to do it with Linux and OpenSSL.

-Gavan

Reply

Link copied. Please paste this link to share this article on your social media post.

ScottBUK
Ensign ScottBUK
Ensign

Posted: ‎2021-06-30 05:09 AM . Last Modified: ‎2024-03-08 03:10 AM

0 Likes
0
31477
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:09 AM . Last Modified: ‎2024-03-08 03:10 AM

I'm also having a problem uploading SSL certificates to my Rack PDUs. It's an essential requirement for me; we aren't permitted to have self-signed certificates in our infrastructure. We also don't really want to use a wildcard certificate or public CA.

I've tried two different ways:

  • Generate CSR using NMCSecurityWizardCLI.exe, sign using our internal OpenSSL CA and then reimport using NMCSecurityWizardCLI.exe. This gives me a bad argument error and fails.
  • Generate CSR using Security Wizard v1.04, sign using our OpenSSL CA and then reimport using Security Wizard again. This gives me an error -32. I've seen mention of it when people have this when not using the Web Server template from Windows Certificate Services, but not with OpenSSL.

I haven't even managed to get to the point where I can upload the certificate to the PDU. I've got a case open with APC about NMCSecurityWizard, but there doesn't seem to be any way to check the progress.

Looking at how poorly certificates have been handled for a long time now and the lack of progress perhaps it may be worth considering another vendors solution instead.

Reply

Link copied. Please paste this link to share this article on your social media post.

Anonymous user
Not applicable

Posted: ‎2021-06-30 05:09 AM . Last Modified: ‎2024-03-08 03:10 AM

0 Likes
0
31477
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:09 AM . Last Modified: ‎2024-03-08 03:10 AM

Hey Scott ,

It does seem certificate management has been and is being handled poorly. We've been looking into solutions from CyberPower and their Remote Management Card. According to their Security Guide, you can upload your own certificate in the PEM format. I feel that APC should allow us to convert our existing certificates into the format that is accepted by their UPS. Come upgrade time and this capability is not met, we'll most likely end our support contract and buy from CyberPower.

Reply

Link copied. Please paste this link to share this article on your social media post.

BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-06-30 05:09 AM . Last Modified: ‎2024-03-08 03:10 AM

0 Likes
0
31477
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:09 AM . Last Modified: ‎2024-03-08 03:10 AM

Hi Scott, 

Can you tell me what your case number is and I can check its progress?

Can you also try using the following version of Security Wizard:

https://schneider-electric.box.com/s/ct021cml940zdj50al4zhocjyczf13v8

-Gavan

Reply

Link copied. Please paste this link to share this article on your social media post.

BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-06-30 05:09 AM . Last Modified: ‎2024-03-08 03:10 AM

0 Likes
0
31476
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:09 AM . Last Modified: ‎2024-03-08 03:10 AM

Hi Cody,

Please don't post unless your going to try and be helpful, Scott's issue is not the same as yours can can easily be resolved. 

-Gavan

Reply

Link copied. Please paste this link to share this article on your social media post.

Anonymous user
Not applicable

Posted: ‎2021-06-30 05:09 AM . Last Modified: ‎2024-03-08 03:10 AM

0 Likes
0
31474
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:09 AM . Last Modified: ‎2024-03-08 03:10 AM

Hey Gavan ,

I feel my insights and knowledge are helpful in his or her situation. I provided links and research on products that would work within the environment, as described. A simple key conversion tool or just the ability to supply our keys in the standard format would subside many of the issues I linked and that are within the forum posts.

If my issue is easily solvable, would you be able to tell me how to upload a wildcard certificate to the NMC? When I attempt to upload the certificate, I get an error -32.

Reply

Link copied. Please paste this link to share this article on your social media post.

ScottBUK
Ensign ScottBUK
Ensign

Posted: ‎2021-06-30 05:09 AM . Last Modified: ‎2024-03-08 03:09 AM

0 Likes
0
31480
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:09 AM . Last Modified: ‎2024-03-08 03:09 AM

Hi Gavan,

That (older) version of NMCSecurityWizardCLI works. You might want to make that more easily accessible!

A note regarding the configuration of the certificates that someone else will hopefully find useful one day - I set keyUsage to keyEncipherment and digitalSignature. Enabling keyAgreement and/or nonRepudiation caused the PDU to get stuck 'Loading certificate...'

Also make sure you have a subjectKeyIdentifier.

Regards,

Scott

Reply

Link copied. Please paste this link to share this article on your social media post.

BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-06-30 05:09 AM . Last Modified: ‎2024-03-08 03:09 AM

0 Likes
1
31467
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:09 AM . Last Modified: ‎2024-03-08 03:09 AM

I've spent days trying to figure out how to get an SSL certificate to load in our NMCs.  Scott's post above helped to put me on a path of enlightenment.

I used the NMC's self-signed certificate as a "MODEL" certificate of what it seemed to be accepting.  That's when I noticed the differences that I needed to correct.  Mainly the extended key usage definition, and the non-standard "critical" setting on the extended Key Usage and basicConstraints extensions.  But the biggest realization is that your CN and alt_names (SAN) has a huge impact on whether the certificate will be accepted or rejected.  I'd image this is what most people are having problems with. Since there is absolutely NO error feedback, it's virtually impossible to figure anything out without a LOT of trial and error.  Your programmers need to learn how to 1) provide an error message, 2) provide a useful error message when one is given.

I surely hope the information below will help others that are having NMC certificate problems.

Applies to:
0M-9631SY (AP9631): APC AOS v6.8.8
AP8959NA3: APC AOS v6.8.2

NMCSecurityWizardCLIUtility_v100.zip: 585,444 bytes
NMCSecurityWizardCLI.exe: 91,136 bytes
cl32.dll: 1,181,184 bytes

Example of a working Process:

0. Renamed NMCSecurityWizardCLI.exe to NMC.exe
1. Create CSR using NMC.exe:

C:\NMCcli>NMC --csr -o symmetra -n symmetra -c US -m Illinois -l Maywood -g "Company Name Inc" -u "Information Technology" -e it@companyname.com -a 192.168.10.2 -i http://www.companyname.com -d symmetra.companyname.com -k 1024

2. Renamed symmetra.p15 to symmetrak.p15
3. Transferred symmetra.csr to internal company CA host
4. We use openssl. Using the NMC's self-sign certificate as a "Model"
certificate for what the NMC seems to accept, we modified openssl.cnf
(in the "[ usr_cert ]" section) so that:

a. All Netscape options/extensions were disabled
b. ONLY X.509 extensions were allowed, in this exact order:

1. Subject Key Identifier - Entry in openssl.cnf: subjectKeyIdentifier=hash
2. Key Usage - Entry in openssl.cnf: keyUsage=critial,digitalSignature,keyEncipherment
3. Basic Constraints - Entry in openssl.cnf: basicConstraints=critical,CA:FALSE
4. Subject Alternative Name - Entry in openssl.cnf: subjectAltName=@alt_names

[ alt_names ]
DNS.1 = symmetra.companyname.com
DNS.2 = 192.168.10.2

5. Copy "symmetra.csr" to "/etc/pki/tls/misc/newreq.pem"
6. Signed the certificate request:

[/etc/pki/tls/misc]# ./CA.pl -sign

7. openssl creates a signed certificate and puts it in newcert.pem
8. Copy newcert.pem to symmetra.crt
9. Copy newcert.pem to ssymmetra.crt (short symmetra.crt)
10. Edit ssymmetra.crt to REMOVE the human-readable certificate information
BEFORE the "-----BEGIN CERTIFICATE-----" line. The NMCSecurityWizardCLI.exe
pukes when trying to create the .p15 file for upload and there is more
than just the base64 certificate information present in the certificate file.
11. Transfer ssymmetra.crt to Windows machine where NMC.exe exists, and the .p15
private is located when the CSR was created.

12. Create the certificate file for upload to the NMC:

C:\NMCcli>NMC --import -o symCERT -s ssymmetra.crt -p symmetrak

If successful, you'll get something like:

NMC Security Wizard Command Line Utility v1.0.0
(c) Copyright 2018 Schneider Electric. All rights reserved.
-----------------------------------------------------------------------------
Certificate's Issuer Information:
Common Name: Company Name Root CA
Country: US
State/Province: IL
Locality: Maywood
Organization: Company Name, Inc
Organizational Unit: www.companyname.com

Certificate's Subject Information:
Common Name: symmetra
Country: US
State/Province: Illinois
Locality: Maywood
Organization: Company Name Inc
Organizational Unit: Information Technology
Valid From: 08/05/2020 (GMT)
Valid To: 08/03/2030 (GMT)

Certificate's General Information:
Serial Number: 00:CB:45:34:3D:6E:DD:E8:F4
SHA1 Thumbprint: 21:69:81:CE:BB:58:53:C3:A8:EE:1A:8F:14:25:BD:E0:24:A7:5A:93

[*] Importing certificate 'symCERT' has successfully completed.

13. Connect to the NMC Web Interface, and login. Navigate to:

Configuration > Network > Web > SSL Certificate

Click the "Choose File" button. Navigate to the Windows
file where your "symCERT.p15" was created, and "Open" it.

14. The filename will be displayed next to the "Choose File" button.
Click "Apply" to load certificate into the NMC.

15. If all goes well, it will only take about 10 seconds for the
certificate to load. There is absolutely no good feed back in
the browser as to what happens. From extensive testing, I
found that 10 seconds usually meant it worked, and 60 seconds
meant that it failed.

If successfull, the NMC will immediately start to use it. You should logout and then login to the NMC fully utilize the new certificate.

If unsuccessful, the NMC will take about 60 seconds to regenerate a brand new self-cert and install it, and give control back to the
user. You'll see this if you inspect the cerificate after trying to connect to the NMC after 60 seconds. The cert will only be 2-3 minutes
old.

If successful, these will work:
https://symmetra.companyname.com
or https://192.168.10.2/

This will not work, you get a browser security warning:
https://symmetra

Plus you cannot add "symmetra" to the alt_names to get it to work.

This table took quite some time create, but will help to explain what APC support hasn't been able to figure out. When I create certificates, I
like to be able to use something like:

https://pdu.companyname.com
or https://192.168.10.2
or https://pdu/

In order to do that, you specify all three as alt_names. But if you use "pdu" as one of the entries for an alt_name, that causes the NMC
to REJECT the SSL certificate for some unknown reason. 

The APC NMC will also almost always reject the SSL Certificate if you use a FQDN for the CN. There is only one exception to that, and then that is NOT to use ANY alt-names.

This table outlines what works, and more importantly what does NOT work.

Result  Test    CN           AltName[1]    AltName[2]    AltName[3]
=====================================================================================
fails PDU1: pdu pdu.dom.com pdu bluepdu.dom.com (2 more)
fails PDU2: pdu pdu.dom.com pdu bluepdu.dom.com (2 more)
fails PDU3: pdu pdu.dom.com pdu 192.168.10.3
loads PDU4: pdu
loads PDU5: pdu.dom.com
loads PDU6: pdu pdu.dom.com
loads PDU6b: pdu pdu.dom.com 192.168.10.3
fails PDU6c: pdu pdu.dom.com 192.168.10.3 pdu
fails PDU7: pdu.dom.com pdu.dom.com pdu 192.168.10.3
fails PDU7b: pdu.dom.com pdu.dom.com pdu
FAILS PDU7c: pdu.dom.com pdu
fails PDU8: 5A1833E07049 pdu.dom.com pdu

fails: NMC card fails to load certificate, and generates a new self-signed cert.
loads: NMC card loads certificate, and immediately starts to use it in
about 10-15 seconds

Hopefully, APC will make this a less painful process. I wonder how many man-hours have been wasted trying to get a working certificate on a APC device.  

Reply

Link copied. Please paste this link to share this article on your social media post.

ScottBUK
Ensign ScottBUK
Ensign

Posted: ‎2021-06-30 05:09 AM . Last Modified: ‎2024-03-08 03:09 AM

0 Likes
0
31467
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:09 AM . Last Modified: ‎2024-03-08 03:09 AM

Interesting; I was able to get my NMC to accept a certificate that had the non-FQDN name as a SAN.

I created a script that automates it for me, happy to share the steps I used later on when I'm back at my PC.

Reply

Link copied. Please paste this link to share this article on your social media post.

ScottBUK
Ensign ScottBUK
Ensign

Posted: ‎2021-06-30 05:09 AM . Last Modified: ‎2024-03-08 03:09 AM

0 Likes
0
31466
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:09 AM . Last Modified: ‎2024-03-08 03:09 AM

So today I rolled out certificates to all my Rack PDUs (NMC2 AP9538 v6.8.2) and all worked fine with CN as FQDN mypdu.mydomain and SAN with FQDN mypdu.mydomain and hostname mypdu.

I also needed to put a certificate on a SmartUPS (NMC2 AP9631 v6.8.8) as well - and that didn't work. It accepted the certificate as valid (and if you connect via HTTP the SSL cert menu shows the certificate as valid, with it's details) but HTTPS is now broken and I'm no longer able to connect. 

No difference in the process for generating them at all.

I'll try tomorrow leaving off the SAN completely, but this already means that different processes/certificates work for different devices which is terrible!

Reply

Link copied. Please paste this link to share this article on your social media post.

ScottBUK
Ensign ScottBUK
Ensign

Posted: ‎2021-06-30 05:09 AM . Last Modified: ‎2024-03-08 03:09 AM

1 Like
1
31464
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:09 AM . Last Modified: ‎2024-03-08 03:09 AM

If it helps anyone, here's what I did for my Rack PDUs using the version of NMCSecurityWizardCLI above (v1.0.0):

Create config file: mypdu.cfg containing:

basicConstraints = CA:FALSE
extendedKeyUsage = serverAuth
keyUsage = keyEncipherment, digitalSignature
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName = DNS:mypdu.mydomain, DNS:mypdu

Then run the following commands:

 

NMCSecurityWizardCLI --csr -o mypdu-csr -n mypdu.mydomain -c GB -m England -l County -g Org -u Dept -e contact@mydomain

openssl x509 -req -in mypdu-csr.csr -CA myca.crt -CAkey myca.key -CAcreateserial -out mypdu-cert.crt -extfile mypdu.cfg -days 3650

NMCSecurityWizardCLI --import -o mypdu-apc -s mypdu-cert.crt -p mypdu-csr

 

This gives you a mypdu-apc.p15 file that works with the Rack PDUs.

Reply

Link copied. Please paste this link to share this article on your social media post.

Anonymous user
Not applicable

Posted: ‎2021-06-30 05:10 AM . Last Modified: ‎2024-03-08 03:09 AM

0 Likes
0
31464
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:10 AM . Last Modified: ‎2024-03-08 03:09 AM

Hey  Gavan ,

Still wondering if you can resolve my issue. How am I able to upload a pre-signed wildcard certificate to my NMC?

I look forward to your response.

Reply

Link copied. Please paste this link to share this article on your social media post.

BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-06-30 05:10 AM . Last Modified: ‎2024-03-08 03:08 AM

0 Likes
0
31464
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:10 AM . Last Modified: ‎2024-03-08 03:08 AM

Hi Cody,

As I've already stated pre-sign certificates are not supported nor are wildcard certificates. This is not going to change in the near to medium term.

-Gavan

Reply

Link copied. Please paste this link to share this article on your social media post.

Anonymous user
Not applicable

Posted: ‎2021-06-30 05:10 AM . Last Modified: ‎2024-03-08 03:08 AM

0 Likes
0
31464
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:10 AM . Last Modified: ‎2024-03-08 03:08 AM

Yes, you did state that before, but now I'm confused. You said my problem could be easily resolved, what are you referring to?

Reply

Link copied. Please paste this link to share this article on your social media post.

BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-06-30 05:10 AM . Last Modified: ‎2024-03-08 03:08 AM

0 Likes
0
31464
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:10 AM . Last Modified: ‎2024-03-08 03:08 AM

If you read back on the posts I had asked you to not comment on other people's issues that were different to yours as their issues could be easily resolved. As you can see Scott's issue was easily resolved. 

I also commented that you could resolve your problem by deploying an internal PKI or CA.

Reply

Link copied. Please paste this link to share this article on your social media post.

ScottBUK
Ensign ScottBUK
Ensign

Posted: ‎2021-06-30 05:10 AM . Last Modified: ‎2024-03-08 03:08 AM

0 Likes
0
31464
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:10 AM . Last Modified: ‎2024-03-08 03:08 AM

I'm still having absolutely no success with certificates for an NMC2 in a SmartUPS 1500.

I've tried differing combinations of SAN, CN with FQDN/shortname etc without joy.

The PDU accepts the certificate and reports it as valid, however HTTPS connections are immediately reset by the PDU. It's the last device to get working, any help would be appreciated.

Reply

Link copied. Please paste this link to share this article on your social media post.

BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-06-30 05:10 AM . Last Modified: ‎2024-03-08 03:08 AM

0 Likes
0
31464
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:10 AM . Last Modified: ‎2024-03-08 03:08 AM

Can you post the command that your using to create the cert for the Smart-UPS and also the version of firmware it's on and I can try it hear and help narrow down the cause of the issue?

-Gavan

Reply

Link copied. Please paste this link to share this article on your social media post.

ScottBUK
Ensign ScottBUK
Ensign

Posted: ‎2021-06-30 05:10 AM . Last Modified: ‎2024-03-08 03:08 AM

0 Likes
0
31465
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:10 AM . Last Modified: ‎2024-03-08 03:08 AM

Create pdu-0.cfg containing:

basicConstraints = CA:FALSE
extendedKeyUsage = serverAuth
keyUsage = keyEncipherment, digitalSignature
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName = DNS:pdu-0.mydomain.net, DNS:pdu-0

Then running the commands:

NMCSecurityWizardCLI --csr -o pdu-0-csr -n pdu-0.mydomain.net -c GB -m England -l mytown -g myorg -u myorg-e support@mydomain.com

openssl x509 -req -in pdu-0-csr.csr -CA e:\ca.crt -CAkey e:\ca.key -CAcreateserial -out pdu-0-temp.crt -extfile pdu-0.cfg -days 3650

NMCSecurityWizardCLI --import -o pdu-0 -s pdu-0-temp.crt -p pdu-0-csr

As said I've tried various combinations involved SAN/no-SAN, FQDN, shortname, IP etc. The PDU accepts the certificate and reports "Valid Certificate" in the GUI, but HTTPS issues a reset as soon as the browser sends a TLS Client Hello.

Hardware Factory
Model Number: AP9631
Hardware Revision: 08
Manufacture Date: 07/08/2019
Application Module
Name: sumx
Version: v6.8.8
Date: May 4 2020
Time: 12:17:01
APC OS (AOS)
Name: aos
Version: v6.8.8
Date: Apr 28 2020
Time: 17:21:52
APC Boot Monitor
Name: bootmon
Version: v1.0.9
Date: Mar 27 2019
Time: 16:23:06
Regards,

Scott
Reply

Link copied. Please paste this link to share this article on your social media post.

BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-06-30 05:10 AM . Last Modified: ‎2024-03-08 03:08 AM

0 Likes
0
31465
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:10 AM . Last Modified: ‎2024-03-08 03:08 AM

Hi Scott,

You mentions PDU a few time but the application data says SUMX, so I take it the PDU is a mistake and that your actually talking about a Smart-UPS?

Either way I tested this with using the same card and the same firmware details that you have given, try the following:

pdu-0.cfg:

basicConstraints = CA:FALSE
extendedKeyUsage = serverAuth
keyUsage = keyEncipherment, digitalSignature
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
subjectAltName = DNS:pdu-0.mydomain.net

Commands:

NMCSecurityWizardCLI --csr -o pdu-0-csr -n pdu-0.mydomain.net -d pdu-0.mydomain.net -c GB -m England -l mytown -g myorg -u myorg

openssl x509 -req -in pdu-0-csr.csr -CA e:\ca.crt -CAkey e:\ca.key -CAcreateserial -out pdu-0-temp.crt -extfile pdu-0.cfg -days 3650

NMCSecurityWizardCLI --import -o pdu-0 -s pdu-0-temp.crt -p pdu-0-csr

*** Ensure "subjectAltName = DNS:xx.xxxx.xx" matches "-d xx.xxxx.xx" 

Reply

Link copied. Please paste this link to share this article on your social media post.

ScottBUK
Ensign ScottBUK
Ensign

Posted: ‎2021-06-30 05:10 AM . Last Modified: ‎2024-03-08 03:07 AM

0 Likes
0
31465
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:10 AM . Last Modified: ‎2024-03-08 03:07 AM

I've followed those steps exactly; the certificate is created and imported, but still causes HTTPS to die.

Reply

Link copied. Please paste this link to share this article on your social media post.

ScottBUK
Ensign ScottBUK
Ensign

Posted: ‎2021-06-30 05:10 AM . Last Modified: ‎2024-03-08 03:07 AM

0 Likes
0
31465
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:10 AM . Last Modified: ‎2024-03-08 03:07 AM

Given this only applies to one UPS (all our others are Rack PDUs which I have working) and the amount of time being spent on this (our CA is in a secure room under dual control, so is a manual task) I've decided to just disable HTTPS for now (HTTP is already disabled) and manage it via SSH, enabling HTTPS only for the times it's required.

There's no error messages (in fact even when HTTPS is broken, the UPS GUI reports the certificate is valid) and no logging.

APC really need to consider getting their act together with regards to certficate handling. It's terrible, no other device I've come across is this much of a pain. It's really not what you would consider an enterprise class device in that regard.

Reply

Link copied. Please paste this link to share this article on your social media post.

BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-06-30 05:10 AM . Last Modified: ‎2024-03-08 03:07 AM

0 Likes
0
31465
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:10 AM . Last Modified: ‎2024-03-08 03:07 AM

Hi Scott,

I've sent an email to you directly (provided the email given at sing-up is correct), I can help you do some more troubleshooting that you might not want put on a public forum.

-Gavan

Reply

Link copied. Please paste this link to share this article on your social media post.

ScottBUK
Ensign ScottBUK
Ensign

Posted: ‎2021-06-30 05:11 AM . Last Modified: ‎2024-03-08 03:07 AM

0 Likes
0
31465
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:11 AM . Last Modified: ‎2024-03-08 03:07 AM

Hi,

Thanks for the offer - I've actually managed to resolve this myself this morning. Seems NTP traffic was being blocked and the UPS date/time had got a couple of days behind.

Fixed NTP and all is well now!

Regards,

Scott

Reply

Link copied. Please paste this link to share this article on your social media post.

Anonymous user
Not applicable

Posted: ‎2021-06-30 05:11 AM . Last Modified: ‎2024-03-08 03:07 AM

0 Likes
0
31465
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:11 AM . Last Modified: ‎2024-03-08 03:07 AM

I have a AP9631 and have been struggling with the SSL CLI utility. I have read a few places that the "APC Security Wizard" is required but I cannot find the download for it. 

I am able to generate the CSR then I go to my MS AD CA and request the cert no problem. When I go back to the CLI to run the import command, I get the following:

Unhandled Exception: cryptlib.CryptException: -3: Bad argument, parameter 3
at NMCSecurityWizardCLI.Program.ImportSignedCSR(String sCertFile, String sKeyFile, String sOutFile)
at NMCSecurityWizardCLI.Program.Main(String[] args)

The log says the cert was created. Then I go to the web interface for the NMC and upload the p15 file,  I always get "no file chosen." I tried downloading the CA file several different ways but to no avail. I feel like I am missing something silly. 

Sorry to chain off the thread. This was the most up to date thread I could find. 

Any advice or guidance would be appreciated.

Cheers!

Reply

Link copied. Please paste this link to share this article on your social media post.

ScottBUK
Ensign ScottBUK
Ensign

Posted: ‎2021-06-30 05:11 AM . Last Modified: ‎2024-03-08 03:07 AM

0 Likes
0
31465
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:11 AM . Last Modified: ‎2024-03-08 03:07 AM

Try using this version (1.0):

https://schneider-electric.box.com/s/sxlkk4nljylwnyjzno3trr1ilvz46e1r

I believe the newer v1.1 has some issues with the formatting of the files, so using v1.0 makes it easier - especially if you're scripting it.

Reply

Link copied. Please paste this link to share this article on your social media post.

BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-06-30 05:11 AM . Last Modified: ‎2024-03-08 03:07 AM

0 Likes
0
31465
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:11 AM . Last Modified: ‎2024-03-08 03:07 AM

Hi Timothy,

Can you try this guide:

https://schneider-electric.box.com/shared/static/np70ytdetyghut1hc1kpu7fw2mwi3yof.pdf

With this version of the software:

https://schneider-electric.box.com/s/ct021cml940zdj50al4zhocjyczf13v8

-Gavan

Reply

Link copied. Please paste this link to share this article on your social media post.

Anonymous user
Not applicable

Posted: ‎2021-06-30 05:11 AM . Last Modified: ‎2024-03-08 03:06 AM

0 Likes
0
31465
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:11 AM . Last Modified: ‎2024-03-08 03:06 AM

WoW! That worked. Many thanks fellas!

I was looking at Chrome and the cert looks valid from that standpoint. When I look at the Dev Tools > Security tab, I see the following:

Connection - obsolete connection settings
The connection to this site is encrypted and authenticated using TLS 1.2, ECDHE_RSA with P-384, and AES_128_CBC with HMAC-SHA1.
  • AES_128_CBC is obsolete. Enable an AES-GCM-based cipher suite.

Sorry for the silly question, is that something that is controlled by the MS AD CA or CSR?

Cheers!

Reply

Link copied. Please paste this link to share this article on your social media post.

BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-06-30 05:11 AM . Last Modified: ‎2024-03-08 03:06 AM

0 Likes
0
31466
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:11 AM . Last Modified: ‎2024-03-08 03:06 AM

Good to hear that worked for you!

To answer your question, no that's not something in your control, the NMC2 hardware is starting to show it's age and can no longer keep up with the most modern ciphers, this is in-fact the main reason why the NMC3 has been released.

The NMC2 is still supported and will get updates (for the next year or two, I'm not exactly sure) but it's running close to it max, the NMC3 on the other hand comes with a lot more processing power and will able to keep up with changes in encryption standards for many years.

-Gavan 

Reply

Link copied. Please paste this link to share this article on your social media post.

Anonymous user
Not applicable

Posted: ‎2021-06-30 05:11 AM . Last Modified: ‎2024-03-08 03:06 AM

0 Likes
0
31466
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:11 AM . Last Modified: ‎2024-03-08 03:06 AM

That makes sense. I understand the equipment is getting older. This is me tinkering in my lab trying to learn more and more. Thank you!

That being said... 🙂 If you can't help, I totally understand...

I have a AP7830 and wanted to put certs on that. I am positive those encryption variants are old, weak, and deprecated. I figure better something than nothing. Do you have any guides or tricks up your sleeve for those? I tried the version of the CLI utility to no avail. Is the Security Wizard app required for the PDUs? I am running the 3.9.2 firmware. I believe that was the newest/latest version?

Thanks a thousand!

Reply

Link copied. Please paste this link to share this article on your social media post.

noahajac_apc
Crewman noahajac_apc
Crewman

Posted: ‎2021-06-30 05:11 AM . Last Modified: ‎2024-03-08 03:06 AM

0 Likes
0
31465
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:11 AM . Last Modified: ‎2024-03-08 03:06 AM

This thread is getting hijacked/derailed. If someone has a completely different issue than why is it being posted about here?

I agree with  Cody . It is frankly unacceptable that at this day and age APC doesn't have a method for paying customers to be able to use standard SSL certificates/keys that are accepted pretty much everywhere else. I have never heard of this p15 format until I got this UPS and judging by the extreme lack of tools and documentation on the web, I'd be willing to be most others haven't heard of it either.

It is extremely frustrating that there have been no real solutions given on any of the forum posts made here about this problem. There is no excuse for APC to at least not create some form of conversion tool.

I apologize if I'm coming off strong however I've been dealing with this for hours at this point and the only thread I found with any hope left has been derailed with a completely different issue.

Reply

Link copied. Please paste this link to share this article on your social media post.

BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-06-30 05:11 AM . Last Modified: ‎2024-03-08 03:06 AM

0 Likes
0
31465
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:11 AM . Last Modified: ‎2024-03-08 03:06 AM

Hi Noah,

With the exception of Cody everyone else who has posted here has been given a solution to their problem and there is literally four links to a step by step guide with every step "screenshotted". 

If you just post what your issue is then I'll be happy to help you.

-Gavan  

Reply

Link copied. Please paste this link to share this article on your social media post.

noahajac_apc
Crewman noahajac_apc
Crewman

Posted: ‎2021-06-30 05:11 AM . Last Modified: ‎2024-03-08 03:06 AM

0 Likes
0
31465
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:11 AM . Last Modified: ‎2024-03-08 03:06 AM

So on my network there is a central server running certbot that issues and pushes Let's Encrypt signed HTTPS certs to local devices. What I need to do is to be able to have certbot issue and automatically apply a cert for my NMC.

What I have tried:

  • Using 3rd party tools such as this one to convert the PEM files from certbot into p15 files for the NMC. This fails with an error while attempting the conversion.
  • Running the APC CLI tool in Wine and passing the csr to certbot using the "certonly" command. Now this process does output a p15 that is uploadable to the NMC. But once applied I can no longer connect to it via HTTPS and keep getting "PR_CONNECT_RESET_ERROR". In addition to not being able to connect, there is no proper way to setup automatic renewals with certbot where the CSR can be passed. However this may be able to be bypassed by having it reuse the private key.

The end goal is to have automatic cert renewals on my certbot server for the NMC. What I really would like is the ability to pass a private key, cert, and CA chain file without needing to deal with CSRs. However if that is not possible I'd at least like to figure out why I'm getting this connection reset error.

Thank you for your time.

Reply

Link copied. Please paste this link to share this article on your social media post.

ScottBUK
Ensign ScottBUK
Ensign

Posted: ‎2021-06-30 05:11 AM . Last Modified: ‎2024-03-08 03:06 AM

0 Likes
0
31465
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:11 AM . Last Modified: ‎2024-03-08 03:06 AM

Check the time is right on your NMC. That caught me out!

Reply

Link copied. Please paste this link to share this article on your social media post.

BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-06-30 05:12 AM . Last Modified: ‎2024-03-08 03:06 AM

0 Likes
0
31465
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:12 AM . Last Modified: ‎2024-03-08 03:06 AM

Have you considered just using an internal CA?

It takes about 10-15 minutes to set one up using OpenSSL (since your using Linux) and will allow you to set you're own validity period? I mean what's better than auto renewal, never needing to renew and really the only reason you'd use an externally signed certificate is if you plan on have the server be publicly accessible and under no circumstance could I ever recommend an NMC being exposed to the Internet in that way.

-Gavan

Reply

Link copied. Please paste this link to share this article on your social media post.

noahajac_apc
Crewman noahajac_apc
Crewman

Posted: ‎2021-06-30 05:12 AM . Last Modified: ‎2024-03-08 03:05 AM

0 Likes
0
31465
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:12 AM . Last Modified: ‎2024-03-08 03:05 AM

That was it. Thanks!

Reply

Link copied. Please paste this link to share this article on your social media post.

noahajac_apc
Crewman noahajac_apc
Crewman

Posted: ‎2021-06-30 05:12 AM . Last Modified: ‎2024-03-08 03:05 AM

0 Likes
0
31465
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:12 AM . Last Modified: ‎2024-03-08 03:05 AM

I've thought of it however my network is setup where multiple devices can access different services via HTTPS and I can't necessarily change the certificate store on those devices.

Reply

Link copied. Please paste this link to share this article on your social media post.

BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-06-30 05:12 AM . Last Modified: ‎2024-03-08 03:05 AM

0 Likes
0
31465
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:12 AM . Last Modified: ‎2024-03-08 03:05 AM

Hi Noah,

If you find a way to automate the creation of the certificates then this might be useful to you.

The upload process can be automated by using FTP/SCP to connect to the NMC and placing the signed .p15 file in the SSL directory. You don't need to delete the existing cert it will be automatically overwritten.

One thing to watch is that the certs name needs to be in the 8.3 format, I can't remember if the NMC needs to be rebooted afterwards but it's just an SSH command to reboot them.

-Gavan

Reply

Link copied. Please paste this link to share this article on your social media post.

noahajac_apc
Crewman noahajac_apc
Crewman

Posted: ‎2021-06-30 05:12 AM . Last Modified: ‎2024-03-08 03:05 AM

2 Likes
0
31464
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:12 AM . Last Modified: ‎2024-03-08 03:05 AM

Thank you for the advice.

I got a system working I'm happy with. For the sake of others who come here I'll put some more info below.

  • I use Certbot on CentOS 8. If you use another ACME client there's a good chance there's functionality for auto-renewal of CSR based certs already built-in.
  • I already have a domain on auto-renewal so I can just use post hooks to create and sign the cert for the NMC. If you're using Certbot just for the NMC, then I suggest you switch to another ACME client as mentioned above.
  • Wine is needed to run the NMC tool. If you're on CentOS like me Red Hat has made it a giant pain as in their infinite wisdom they decided to not keep 32-bit versions in their repos. I wound up using the Raven Extras repo and manually installed the i686 version of wine, wine-core, etc.
  1. Create the following directories: "/etc/letsencrypt-APC", "/var/log/letsencrypt-APC", and "/var/lib/letsencrypt-APC" with the reason being certbot won't run multiple instances at the same directories and this script will be ran from a post-hook.
  2. Run "cp -r /etc/letsencrypt/accounts /etc/letsencrypt-APC"
  3. Create the directory "/etc/letsencrypt-ATC/live/"
  4. Create the script /etc/letsencrypt/renewal-hooks/post/APC and fill with 

#!/bin/bash

if [[ $RENEWED_DOMAINS == *"DOMAIN"* ]]; then
  /usr/bin/rm -f /etc/letsencrypt-APC/live/DOMAIN/*
  cd /opt/APC
  /usr/bin/wine /opt/APC/NMCSecurityWizardCLI.exe --csr -o Z:\\etc\\letsencrypt-APC\\live\\DOMAIN\\APC-unsigned -c US -g ORG -n DOMAIN 2>/dev/null
  /usr/bin/certbot certonly -n --config-dir /etc/letsencrypt-APC --work-dir /var/lib/letsencrypt-APC --logs-dir /var/log/letsencrypt-APC --cert-path /etc/letsencrypt-APC/live/DOMAIN/APC-signed.pem --fullchain-path /etc/letsencrypt-APC/live/DOMAIN/APC-signed-fullchain.pem --chain-path /etc/letsencrypt-APC/live/DOMAIN/APC-signed-chain.pem -d DOMAIN --csr /etc/letsencrypt-APC/live/DOMAIN/APC-unsigned.csr
  /usr/bin/wine /opt/APC/NMCSecurityWizardCLI.exe --import -o Z:\\etc\\letsencrypt-APC\\live\\DOMAIN\\APC-signed -s Z:\\etc\\letsencrypt-APC\\live\\DOMAIN\\APC-signed-fullchain.pem -p Z:\\etc\\letsencrypt-APC\\live\\DOMAIN\\APC-unsigned 2>/dev/null
  /usr/bin/sshpass -p "apc" /usr/bin/scp /etc/letsencrypt-APC/live/DOMAIN/APC-signed.p15 apc@UPS:/ssl/default-cert.p15
  /usr/bin/sshpass -p "apc" /usr/bin/ssh apc@UPS 2>/dev/null << EOF
    reboot -Y
    exit
EOF
fi

Note that it needs to have perms to be executable. In addition to wine and certbot of course you will need sshpass and NMCSecurityWizardCLI.

This certainly isn't an exact tutorial by any means but I at least wanted to provide my script and some insight considering how difficult this was for me to figure out.

This can be done with wildcard domains if you want. The NMC utility doesn't seem to do anything with chain certs. Fortunately most modern browsers will find the chain in their own store.

Feel free to ask with any questions!

Reply

Link copied. Please paste this link to share this article on your social media post.

BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-06-30 05:12 AM . Last Modified: ‎2024-03-08 03:05 AM

0 Likes
0
31464
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Link copied. Please paste this link to share this article on your social media post.

Posted: ‎2021-06-30 05:12 AM . Last Modified: ‎2024-03-08 03:05 AM

That is some stellar work!

Reply

Link copied. Please paste this link to share this article on your social media post.

Preview Exit Preview

never-displayed

You must be signed in to add attachments

never-displayed

 
  • « Previous
    • 1
    • 2
    • 3
  • Next »
To The Top!

Forums

  • APC UPS Data Center Backup Solutions
  • EcoStruxure IT
  • EcoStruxure Geo SCADA Expert
  • Metering & Power Quality
  • Schneider Electric Wiser

Knowledge Center

Events & webinars

Ideas

Blogs

Get Started

  • Ask the Community
  • Community Guidelines
  • Community User Guide
  • How-To & Best Practice
  • Experts Leaderboard
  • Contact Support
Brand-Logo
Subscribing is a smart move!
You can subscribe to this board after you log in or create your free account.
Forum-Icon

Create your free account or log in to subscribe to the board - and gain access to more than 10,000+ support articles along with insights from experts and peers.

Register today for FREE

Register Now

Already have an account? Login

Terms & Conditions Privacy Notice Change your Cookie Settings © 2025 Schneider Electric

This is a heading

With achievable small steps, users progress and continually feel satisfaction in task accomplishment.

Usetiful Onboarding Checklist remembers the progress of every user, allowing them to take bite-sized journeys and continue where they left.

of