Loading ...
Home » Spaces » UPS Management Devices & PowerChute Software » discussion » General » Why doesn't my NMC accept my SSL certificate?

Why doesn't my NMC accept my SSL certificate?

Discussion in UPS Management Devices & PowerChute Software started by Alex , 2/20/2014 6:07 PM
Login to follow, share, and participate in this space.
Not a member?Join now
  • ipicKedawinna
    Angela
    =S= Representative
    Angela 5/18/2017 7:04 PM (in response to Peter)

    Hi Peter,

    The fix is not available publicly yet for what I described as it is only one of the few issues that I know we have and everything is not yet fixed.

    Can I ask - are you using Server 2008 and 2012? With WebServer template? What is your ideal certificate configuration? For example, many users want to use WebServer template and clone it just to get a validity of 5 years instead of the default 2 you can't change with that template

    Also, I know some other folks use OpenSSL as a CA which seems to work sometimes. Beyond that, majority of our users and my personal focus has been trying to get the Microsoft CA stuff working. I am not aware of anything else beyond OpenSSL that people have tried.. frown

  • j1pjezek
    Peter
    Novice Novice
    Peter 5/18/2017 7:52 PM (in response to Angela)
    On 5/18/2017 12:04 PM, Angela said:

    Can I ask - are you using Server 2008 and 2012? With WebServer template? What is your ideal certificate configuration? For example, many users want to use WebServer template and clone it just to get a validity of 5 years instead of the default 2 you can't change with that template

    Server 2012 R2.  We'd like to use a cloned WebServer template with a validity period of 2 years, 2048 bit key length, with both Client and Server auth policies being applied.  We tried this first and got the -32 error before we enabled the original WebServer template and finally found success importing the certificate with security wizard.

  • j1pjezek
    Peter
    Novice Novice
    Peter 5/18/2017 8:19 PM (in response to Angela)
    On 5/18/2017 12:04 PM, Angela said:

    Also, I know some other folks use OpenSSL as a CA which seems to work sometimes. Beyond that, majority of our users and my personal focus has been trying to get the Microsoft CA stuff working. I am not aware of anything else beyond OpenSSL that people have tried

    We also tried using an external CA, GlobalSign.  This worked fine with security wizard but ultimately failed because it required an intermediate certificate to also be installed on the server, which is not support by the NMC.  Intermediate cert support would be a nice feature to have.

  • LucB
    Luc
    New Member New Member
    Luc 5/26/2017 5:03 PM (in response to Angela)

    Hi Angela,

    Let me resume:

    This support call has been opened many years ago, last post some days ago.
    - Certificate deployment with Microsoft CA not possible
    - Certificate deployment with official external CA not possible if CA chained (most of them are)
    - .p15 format very old and proprietary. No easy conversion to any other popular format
    - No way to replace the private/public key
    - Latest APC Security Wizard from 03/2010 (Am I missing something here?)
    - And last but not least, new requirement with Chrome 58: CN ist discontinued, only SAN supported

    That's a running joke and embarrassing for Schneider Electric.

  • Mike81
    Mike
    Novice Novice
    Mike 5/30/2017 1:27 PM (in response to Luc)

    Does the NMC2 web interface really only accept *.p15 files? And if yes, is APC working on a fix, changing that?

  • curlyapc
    Keith
    New Member New Member
    Keith 6/16/2017 10:27 AM (in response to Angela)

    Angela

    Appreciate all your work on this. Look forward to the updates as have the same issues as the others at the NMC 2 end on 6.4.6 with MS CA using SW 1.04

    All the Best

    Keith

  • kyle.porter
    Kyle
    New Member New Member
    Kyle 7/7/2017 10:11 PM (in response to Keith)

    I would also like to chime in here. Same thing. Using Microsoft CA and Windows server 2012. I am not able to install a certificate.

  • shuffman
    Steve
    New Member New Member
    Steve 1/10/2018 7:01 PM (in response to Kyle)

    Having similar issues.  Posting here so I receive updates.  Good luck, Angela!

  • ipicKedawinna
    Angela
    =S= Representative
    Angela 1/10/2018 9:43 PM (in response to Steve)

    Hi Steve, all,

    I am very ashamed to say that this still not resolved 100%. While we've made some progress, we have not yet fixed all aspects of problems with certs created with Microsoft CA services. There are reasons for this but I won't bore you with excuses.

    I am still actively working on it and trying to be transparent here with you all but I am waiting on some sort of ETA when we expect to be completed now that we are in the new year. To be flat-out honest, I hate that I do not have the control or the know how to fix it personally so I feel like I failed our customers and those of you here desperately waiting for fixes.

    But please know while I don't have a complete resolution to share just yet, I am still actively following this and driving it as best I can with everything else going on. Don't hesitate to ask questions here or let me know if you want to discuss offline.

    In general, we (and I personally) always appreciate the voices of our customers so the more info/feedback (positive or negative) I can share with our development teams and leaders, the better. Especially with this specific issue, it is helpful so as part of my role in quality, I can help make the folks feel your pain in not having a solution to deploy your SSL certificates on your APC NMC products after this long.

  • Opal
    Opal
    New Member New Member
    Opal 3/7/2018 10:34 PM (in response to Angela)

    Hi Angela, thank you for your help!
    If we need further updates for this issue, where should we look?

  • ipicKedawinna
    Angela
    =S= Representative
    Angela 3/8/2018 2:18 PM (in response to Opal)

    Hi Opal,

    I've recently escalated this again with emergency priority essentially in the past several weeks and have been giving updates through our tech support team or some of the folks here on the thread directly.

    I can try to provide more frequent updates here.

    Currently, the team has committed to providing a resolution in the coming weeks, no exceptions or further delays. They are figuring out the quickest way to provide a fix - either through firmware fix OR APC Security Wizard rev or both. I asked to get weekly updates at the bare minimum but it will be more frequent if there are critical or major updates. They are still working through some tests to pinpoint the specific problem.

    The main problem is that we've completed a partial fix for using the default 'WebServer' template within Microsoft Cert Authority but any custom cert templates, even if you clone WebServer and make no changes, adds some additional OID information within the certificate which is presenting a problem and causing errors like -32 upon import through APC Security Wizard. They are figuring out how to work through that with the cryptlibrary stack owner.

  • ipicKedawinna
    Angela
    =S= Representative
    Angela 3/12/2018 4:55 PM (in response to Angela)

    Anyone following this thread that is not receiving my direct email updates..

    The development team has made some significant progress in the past few days pinpointing the lingering problems with Microsoft CAs within our code of Security Wizard and NMC firmware. I think we are that much closer to being able to provide a solution to users. It will start in the form of beta verification by myself and some other customers (including some of you here) across the different environments and then get pushed through to final release.

    I personally appreciate everyone's patience on this matter who is reading and keeping up.

  • techsupport9999
    Tech
    Novice Novice
    Tech 3/16/2018 9:51 AM (in response to Alex)

    Angela,  we use OpenSSl to sign our APC csrs, when we do that we gaet a load of other meta data included in the CRT file.

    So an extra step we have to do before merging the crt file with the p15 in SecWiz is to load the crt file into an editor (notepad++) and strip out everything at the top down to BEGIN CERTIFICATE, and then save it. Then we iport this with secwiz tool adding the p15 file to create the uploadable certificate.

    Not sure if that is the same as using the Microsoft cert server but might be worth looking at the crt file it produces to see it only contains the certificate part an no extra meta data..

  • jiSh
    MIchael
    New Member New Member
    MIchael 3/22/2018 12:06 PM (in response to Angela)

    I am posting here as well to help validate the need for this. I would like to use our Microsoft Windows 2016 Subordinate CA to issue certs to our ~15 APC UPS network cards. Having the same issues importing into NMC wizard, error -32 and the .cer file doesn't have anything before or after --BEGIN CERTIFICATE REQUEST--. Not going to try with default web server template because we are required to rotate our end-device certs yearly - so it would be pointless.

    Genuinely surprised to see what appears to be active development on the issue. Please allow the specification of SAN (subject alternative name) in the request or allow us to use something like OpenSSL to generate cert and provide the ability to upload a private key. This is needed so Chrome doesn't flag it.

    Thanks!

  • ipicKedawinna
    Angela
    =S= Representative
    Angela 3/22/2018 6:17 PM (in response to MIchael)

    Hi Michael,

    Yes, we are extremely close to having a fix for all of the different problems, including -32 error. Development has gotten past that and now they are just cleaning up a few things for all of the different scenarios people encountered. Also making sure HTTPS actually still works with the changes needed. I also requested that SAN support be added already too.

    I've also previously requested that we get away from APC Security Wizard to better meet customer expectations.

  • ipicKedawinna
    Angela
    =S= Representative
    Angela 27 days ago (in response to Angela)

    The team is working on SAN support implementation..

  • Eugene
    Mark
    New Member New Member
    Mark 13 days ago (in response to Angela)

    Just adding myself to the thread. I have the same issue with Microsoft Certificate Authority (PKI) using Server 2012 R2.

    NMC AP9630 with v6.4.0

    Uploaded certificate >
    Status: Loading certificate...............

    If I reboot NMC > I get the a default certificate recreated.

  • pgpc
    R
    Novice Novice
    R 13 days ago (in response to Mark)

    Adding myself to the thread, too, so that I receive notice of any developments.

    We have the same issue as others who use OpenSSL and, like others, we need SAN support.  I strongly support the previous requests that Schneider abandon its security wizard and .p15 format in favor industry-standard tools and der or pem format.  

    Thanks.

    -rcz

  • ipicKedawinna
    Angela
    =S= Representative
    Angela 10 days ago (in response to R)

    Hi,

    Sorry, was on vacation last week. The team is still finishing up a few different things to get everything we need done while under the hood. I am hopeful I can share something with beta users in the next 1-2 weeks. I was assured some good progress was made last week while I was out.

    On 4/12/2018 8:47 PM, R said:

    I strongly support the previous requests that Schneider abandon its security wizard and .p15 format in favor industry-standard tools and der or pem format.  

    You're preaching to the choir on this, R. I have logged this as an enhancement and the unfortunate reality is, I don't think we will get this until the next generation platform which is currently in development. First rev of it will still use .p15 but I have been pushing strongly to make the complex changes needed for future revs. It is currently due out later this year. The changes are just too massive to fit into the current platform I believe.

    I am working on tagging people (which isn't working right now) but R. Z. , Mark V, Mike L, would you like me to add you to my list of early testers which I am communicating with directly over email? If yes, let me know if I should direct message you to use a different email than what is in your profile. I'll forward you my latest status update afterwards and keep you in the closer, direct loop moving forward.

  • Benji
    Benjamin
    Novice Novice
    Benjamin 9 days ago (in response to Angela)

    Just wanted to let you know that we are happy about the ongoing development.
    Feels like this thread needs some positive words after all the disappointed voices.

    Also the weekly feedback by mail is more than what I expected.
    Keep up the good work, can't await to see the first fruits of it!

    But let's not forget that this is overdue for quite some time tongue-out

    Cheers

  • dkim
    Daniel
    New Member New Member
    Daniel 9 days ago (in response to Angela)

    I am interested in early testing.  I have been waiting years for this.

  • pgpc
    R
    Novice Novice
    R 9 days ago (in response to Angela)

    I'd be delighted to beta test.  Please use the email address in my profile.

Choose your language:  
powered by Communifire
Version 5.2.6420.11692