Loading ...
home » spaces » UPS Management Devices & PowerChute Software » discussion » General » Why doesn't my NMC accept my SSL certificate?

Why doesn't my NMC accept my SSL certificate?

Discussion in UPS Management Devices & PowerChute Software started by Alex , 2/20/2014 6:07 PM
Login  to follow, share, and participate in this space.
Not a member?Join now
  • alx9r
    Alex
    Novice
    Novice
    Alex 2/20/2014 6:07 PM

    I have am working with a new AP9631 NMC2. See here for product page: http://www.apc.com/products/resource/include/techspec_index.cfm?base_sku=AP9631&tab=documentation

    There is a document called "Security Handbook Network Enabled Devices AOS V.6.X.X" on the documentation page.  I've been following the section entitled "Create a Server Certificate and Signing Request" trying to install a signed SSL certificate on the NMC.   I have not yet succeeded. 

    When I get to the instruction to "Send the certificate signing request to...a Certificate Authority managed by your own company or agency" I use the following command to get the certificate signed by our Certificate Authority:

    certreq -submit -attrib "CertificateTemplate:WebServer" <apc_wizard_cert_request.csr>


    (see this Microsoft technet article for details Appendix 3: Certreq.exe Syntax)


    That works and a signed certificate is issued by our Certificate Authority and I continue to follow the instructions in the "Import the signed certificate" subsection.  The first sign that there is a problem occurs when I get to the subsection entitled "Load the Server Certificate to the Management Card or Device".

    Specific Symptom

    When I select "Add or Replace Certificate File", the web interface hangs for about a minute and then shows an updated "Certificate" page.  On that page, it shows

    Status: Valid Certificate

    The problem is that when I click on valid certificate, the installed certificate is an internally generated certificate (i.e. OU= "American Power Conversion Corp"), not the certificate I just tried to add.  A similar thing happens if I upload the certificate using FTP.  I have checked the fingerprints of the internally generated certificate from attempt to attempt: They are diffferent.  It seems that during the minute the web interface hangs, the NMC is generating a new certificate.

    Why isn't the NMC2 accepting my SSL certificate and instead internally generating a new certificate?

    APC Models and Versions


    APC Security Wizard version: 1.04

    Hardware Factory

    Model Number: AP9631

    Serial Number: ZA1324021754

    Hardware Revision: 05

    Manufacture Date: 06/15/2013

    MAC Address: 00 C0 B7 B4 15 26

    Management Uptime: 0 Days 0 Hours 5 Minutes

    Application Module

    Name: sumx

    Version: v6.0.6

    Date: Apr 5 2013

    Time: 11:25:39

    APC OS (AOS)

    Name: aos

    Version: v6.0.6

    Date: Apr 5 2013

    Time: 10:36:37

    APC Boot Monitor

    Name: bootmon

    Version: v1.0.2

    Date: Jan 21 2010

    Time: 13:35:57

    About UPS

    Model: Smart-UPS RT 2200 XL

    Position: RACK

    Serial Number: QS1323140847

    Firmware Revision: 802.5.D

    Manufacture Date: 06/04/13

    Other Versions

    Certificate Authority: Windows Server 2012R2 Active Directory Certificate Services

    Certificate Authority Type: Enterprise Subordinate

    Web Browser: Firefox 27.0.1

  • ipicKedawinna
    Angela
    =S= Representative
    Angela 2/20/2014 6:15 PM (in response to Alex)

    Can you confirm what size the certificate is you're using? NMC2 only supports 1024 and 2048 bit. Assuming it's one of those, my next thought is it sounds like you're using the same service as what is outlined here via GUI? Issuing SSL Certificates to APC Devices from Microsoft PKI | Mike Shellenberger&amp;#039;s Blog

    I ask cause it seems similar and you utilized the "Web Server template" and I am not all that familiar with the Microsoft tools and how they differ but I think these and what's in the blog above are very similar?

    Also, I am curious if you're able to or interested in sending me the certificate and all the files you created via the security wizard (offline if you want) so I can look at them and try to upload them to my card.

    My other thought was to try loading them on an NMC2 with a different firmware, like v5.1.7 if you had another NMC2 available to see if it is something specific to this cert and the firmware version on the NMC. If you don't have one, I do.

  • alx9r
    Alex
    Novice
    Novice
    Alex 2/20/2014 8:03 PM (in response to Angela)

    Hi Angela,

    Can you confirm what size the certificate is you're using? NMC2 only supports 1024 and 2048 bit.

    I can confirm the following with respect to key size:

    1. I selected the 1024-bit option in the APC Security Wizard.

    2. Using Window's certificate viewer, I can confirm that the signed certificate received back from the Certificate Authority has a value of "RSA (1024 bits)" for the "Public Key" field.

    Assuming it's one of those, my next thought is it sounds like you're using the same service as what is outlined here via GUI? Issuing SSL Certificates to APC Devices from Microsoft PKI | Mike Shellenberger&amp;#039;s Blog

    With respect to the Mike Shellenberger link:

    • We seem to both be using Active Directory Certificate Services, although judging from the blog entry's date, he was not using Windows Server 2012 or 2012R2.
    • We use different interfaces to Active Directory Certificate Services to submit the certificate request:
      • Mike's instructions utilize the Windows Server's Certification Authority Web Enrollment service, a browser-based interface for requesting certificates.
      • My method utilizes certreq.exe.  We don't have the web-based enrollment installed in our environment.
      • As far as I can tell, the two methods should yield the same results.
    • Mike seems to be using APC Security Wizard version 1.03, while I am using 1.04
    • Mike seems to be using an earlier version of NMC firmware, while I am using 6.0.6.
    • Mike seems to be using NMC, while I am using NMC2.
    • We both had the same 'error -32' result when using any template other than the Web Server template.

    Also, I am curious if you're able to or interested in sending me the certificate and all the files you created via the security wizard (offline if you want) so I can look at them and try to upload them to my card.

    Yes, I can send you the files, privately.  Please let me know where.

    My other thought was to try loading them on an NMC2 with a different firmware, like v5.1.7 if you had another NMC2 available to see if it is something specific to this cert and the firmware version on the NMC. If you don't have one, I do.

    I don't have another NMC2 I can easily test v5.1.7 on.  Perhaps you could try my files on v5.1.7 with NMC2 and/or an NMC and see what happens.

    Alex

  • ipicKedawinna
    Angela
    =S= Representative
    Angela 2/20/2014 9:18 PM (in response to Alex)

    Thanks for the info. I sent you an email where you can reply with the files. Let me know if that won't work and I also have a corporate Box account I can set up for upload.

  • alx9r
    Alex
    Novice
    Novice
    Alex 2/20/2014 10:59 PM (in response to Angela)

    Hi Angela,

    I have sent the files via email.

    Alex

  • ipicKedawinna
    Angela
    =S= Representative
    Angela 2/20/2014 11:22 PM (in response to Alex)

    Thanks. I got "invalid cert" on all firmwares I tried. The only thing that caught my eye so far was the size in bytes. I thought the limit was 3KB for these certs and I see yours is 3067 bytes.Which, 3KB should be 3072 bytes but maybe it is actually 3000KB. Tomorrow I will verify my thought and check on the limit in size/bytes and go from there to see what else I can find if that's not the issue. Having these will be very helpful to test with though. I'll report back hopefully tomorrow (Friday).

  • alx9r
    Alex
    Novice
    Novice
    Alex 2/20/2014 11:39 PM (in response to Angela)

    Thanks Angela,

    It would be great to find out exactly what the NMC considers to be "invalid" about the signed certificate.

    Alex

  • ipicKedawinna
    Angela
    =S= Representative
    Angela 2/21/2014 2:32 AM (in response to Alex)

    Definitely! We'll get to the bottom of it wink

  • ipicKedawinna
    Angela
    =S= Representative
    Angela 2/21/2014 9:19 PM (in response to Angela)

    Still working on it! Nothing concrete yet.

  • ipicKedawinna
    Angela
    =S= Representative
    Angela 2/24/2014 6:46 PM (in response to Angela)

    Hi alx9r - we spent some time with this today. It does not appear to be a problem with the size of the certificate as I suspected. It appears to perhaps be in the way the certificate is generated (I know personally, we seem to have issues with this Microsoft CA sometimes).

    Do you have any other means or method to try creating a certificate with a different CA, just to see. I was thinking if not, we could at least try making both the CA and SSL cert via the APC Security Wizard with the same information (Common Name, etc) as the cert that is not working. This would help confirm it is a problem with how it is being generated so we can dig into that deeper. Any other CA would be a good test too to help guide us in the right direction.

    Let me know what you think.

  • alx9r
    Alex
    Novice
    Novice
    Alex 2/24/2014 10:41 PM (in response to Angela)

    Hi Angela,

    (I know personally, we seem to have issues with this Microsoft CA sometimes).

    I've read that. I even revisited my MCSE training materials to see if I'm doing anything non-standard with this CA.  As far as I can tell, the MS ADCS setup I have is by the book -- or at least by Microsoft's book wink.

    Do you have any other means or method to try creating a certificate with a different CA, just to see. I was thinking if not, we could at least try making both the CA and SSL cert via the APC Security Wizard with the same information (Common Name, etc) as the cert that is not working.

    I don't have whole different CA set up right now that I could use for testing.  As you suggested, I used APC Security Wizard to create a new Root CA and use that to generate a certificate for the NMC2 SSL server.  Specifically, I followed the instructions in section "Create a Root Certificate and Server Certificates" in the document entitled "Security Handbook Network Enabled Devices AOS V.6.X.X".

    The result was that the NMC2 accepted the certificate.  When I add the newly-created root CA to Firefox's trusted store then browse to the URL of the NMC2 using https, the SSL certificate is successfully validated by the browswer and no errors are reported.

    I'm sending you the relevant files by email.

    This would help confirm it is a problem with how it is being generated so we can dig into that deeper.

    I tried to maintain parity between the fields on the MS ADCS certificate and the APC Security Wizard certificate.  I think your suspicion is correct -- it seems like the evidence so far points to some difference in the way MS ADCS generates the certificate.  It would be really great to determine exactly what the NMC2 doesn't like about the MS ADCS signed certificate.

    Thanks for your help

    Alex

  • alx9r
    Alex
    Novice
    Novice
    Alex 2/25/2014 12:36 AM (in response to Alex)

    Hi again Angela,

    I just set up an OpenSSL test CA.

    I followed the same section "Create a Server Certificate and Signing Request" in the document called "Security Handbook Network Enabled Devices AOS V.6.X.X".  This time when I got to the instruction to "Send the certificate signing request to...a Certificate Authority managed by your own company or agency" I signed the request using the OpenSSL test CA.

    That works and a signed certificate is issued by the OpenSSL Certificate Authority and I continue to follow the instructions in the "Import the signed certificate" subsection.  This time, the first sign that there is a problem occurs when I reach "Step 4 of 5" in the APC Security Wizard.  At that step, I receive the following error message:


    Error importing cert, code: -32


    This is the same error that I (and Mike Shellenberger) experience when I make any change to the MS ADCS Certificate Template when using ADCS as the CA.

    I am emailing you these files as well.

    Alex

  • ipicKedawinna
    Angela
    =S= Representative
    Angela 2/25/2014 1:07 AM (in response to Alex)

    Thanks!

  • ipicKedawinna
    Angela
    =S= Representative
    Angela 3/3/2014 5:48 PM (in response to Angela)

    As I mentioned offline, I am logging this has a bug and we'll have to look at it more in depth. I haven't been able to obtain a quick answer as to why this certificate is being rejected unfortunately but I don't see any obvious reason why it should be.

  • gregrw
    GregRW
    Novice
    Novice
    GregRW 10/27/2014 2:07 AM (in response to Alex)

    I too am experiencing the exact same issue.  Was this resolved?

    I am choosing a new name to access the device for configuration.  I have configured that new name everywhere I can find.


    The interesting thing that I have found is that if I generate a certificate using the same common name (CN) as the certificate that the device generates internally (which appears to be the serial number?), it will accept my certificate.  This means my CA and method of certificate generate works without issue.  However, the moment I change the CN to something different, it will no longer accept the certificate, seems to silently fail, and as previously described the interface will hang while another certificate is internally generated.

    Is there anything I can do to assist in the resolution of this issue?

  • ipicKedawinna
    Angela
    =S= Representative
    Angela 10/27/2014 3:52 PM (in response to GregRW)

    What CA are you using? And what are you putting for the CN when it fails - is it really long?

    What device/firmware are you testing this on? We have made 1-2 changes in this area on v6.2.0 so I'd want to make sure you've tried that version, if available for your device.

  • gregrw
    GregRW
    Novice
    Novice
    GregRW 10/28/2014 4:34 AM (in response to Angela)

    We are using our own Enterprise Intermediate, with a standalone root CA.

    The failing string is 21 characters long (using a FQDN).

    I have updated to the latest firmware (6.2.0), the interface changed completely to the new Schneider Electric theme after updating the firmware, but neither the old or new firmware worked (they do the same thing).

    I am going to try using a shorter CN and report back my findings.

  • gregrw
    GregRW
    Novice
    Novice
    GregRW 10/28/2014 4:42 AM (in response to GregRW)

    Unfortunately, an 8 character long CN has had the same effect and not been accepted.

  • gregrw
    GregRW
    Novice
    Novice
    GregRW 10/28/2014 4:52 AM (in response to Angela)

    Also, device is a Smart-UPS X 3000 with a AP9630 NMC

  • freddy
    Frederik
    Novice
    Novice
    Frederik 11/12/2014 10:56 AM (in response to Angela)

    Has there been any progress on this bug.

    We've a lot of trouble with all kind of APC devices. Trouble with certificates too.

    We've various Schneider/APC UPS and PDU devices in use.

    We have a company internal CA which we use for legacy devices (no 2048 bit keys supported or no proper support for intermediate CAs).

    Generating a 1024 Bit key and signing it with our CA works perfectly fine for all "first generation" devices (e.g. AP7951 PDUs running aos/rpdu firmware version v3.7.4).

    The exact same p15 file which works with these old devices doesn't work with any 2G devices (Upload works, but the device will generate a new self signed certificate itself).

    So there must be a regression somewhere. Maybe this helps you to track down the problem or at least give this bug a higher priority.

    For the 2G devices we're currently testing this with a just recently installed MGE Galaxy 3500 40 kVA UPS power module with a AP9631CH NMC2 card running aos/sumx v6.2.0.

    So far we only were able to verify that there is another bug in your implementation: Having spaces in the Issuer's (CA certificate) common name causes a NMC2 Webserver to send an invalid certificate (installing such a certificate essentially will lock you out of the webinterface). Generating the exact same certificate (same key, etc.) using underscores instead of spaces as issuer CN is working fine.

    Is there anything else we can do to help you to fix this bug?



  • ipicKedawinna
    Angela
    =S= Representative
    Angela 11/12/2014 2:34 PM (in response to Frederik)

    I have it at the top of my request list. It requires some significant updates to help address along with other security enhancements we are working on.

    Can you tell me what your Internal CA is - I am trying to urge our testing team to test multiple CAs like Microsoft, or OpenSSL. If you have something different that doesn't work, I can document it.

    Also, I did not think spaces in the CN was compliant with an RFC for that particular field?

  • gregrw
    GregRW
    Novice
    Novice
    GregRW 11/17/2014 1:21 AM (in response to Angela)

    Thanks Angela.  Is there any other way I should raise this issue, or is via the forum an acceptable method with regard priority?

    I am sorry, I should have been more specific with the types of CA when you asked.  Ours is indeed Microsoft, with a Standalone Root -> Enterprise Subordinate configuration.  In a similar situation to Freddy, we have APC power rails that are running the latest firmware that successfully accept our certificates as well.  It is these UPS devices that we are having issues with.

    Freddy - I would be interested to see whether your device would accept a certificate if the CN was the same as the name the original device was given (in our case it was the serial number).

    Regards,

    Greg.

  • ipicKedawinna
    Angela
    =S= Representative
    Angela 11/17/2014 4:07 PM (in response to GregRW)

    Hi Greg,

    No matter how you raise it, it will somehow get to me so this is OK. laughing Let me add that information to the issue we have logged on this topic so when it is resolved, we make sure we're testing properly. And depending on what happens, I may be able to offer you the ability to test it for us too if you'd be willing.

  • gregrw
    GregRW
    Novice
    Novice
    GregRW 11/18/2014 1:59 AM (in response to Angela)

    Feel free to count me in Angela, happy to assist.

    Regards,

    Greg.

  • freddy
    Frederik
    Novice
    Novice
    Frederik 11/26/2014 10:06 AM (in response to Angela)

    Hello Angela,

    I'm happy to see that this is finally getting some attention. As the overall state of your SSL implementation is the primary reason why we try to avoid buying APC devices whenever possible.

    Our certificates are generated using openssl.

    I'm not sure how familiar you're with the x509 and related specs.

    The CN of a distinguished name used in a x509 certificate can be actually any string up to 64 characters. This includes any kind of "special" characters (, =, ...). While the use of special characters might look confusing in the text representation it's no problem for the underlying ASN1 implementation.

    Distinguished names are usually used at two different places: The Subject and the Issuer field.

    In practice the common name of the Subject field is set to the hostname (this isn't required, the hostname might be specified using the SubAltName extension).

    The Issuer field is used to reference the issuing CA and is set to the value of Subject field of the issuing CA.

    For CA certificates having spaces in the common name is very common.

    Here's an example from the certificate used for www.apc.com:

    Certificate:

        Data:

            Version: 3 (0x2)

            Serial Number:

                36:08:ef:58:58:f2:1c:57:dd:cc:b7:5c:5e:c4:2e:31:a7:20:5f:68

        Signature Algorithm: sha1WithRSAEncryption

           Issuer: C=NL, L=Amsterdam, O=Verizon Enterprise Solutions, OU=Cybertrust, CN=Verizon Akamai SureServer CA G14-SHA1

            Validity

                Not Before: Oct 29 20:25:31 2014 GMT

                Not After : Oct 29 20:25:27 2015 GMT

            Subject: C=US, ST=RI, L=West Kingston, O=SCHNEIDER ELECTRIC INDUSTRIES SAS, OU=Web Service, CN=www.apc.com

    @Greg: Setting the CN to the default/serial didn't help during my tests so far.

Choose your language:  English  
powered by Communifire
Version 5.0.5741.40378