Loading ...

Uploading Private SSL Certificates | UPS Management Devices & PowerChute Software

Home » Spaces » UPS Management Devices & PowerChute Software » discussion » General » Uploading Private SSL Certificates

Uploading Private SSL Certificates

Discussion in UPS Management Devices & PowerChute Software started by Cody , 7/6/2020 1:44 PM
Login to follow, share, and participate in this space.
Not a member?Join now
Announcement 

Please review Schneider Electric Knowledge Base articles for assistance with most technical support questions.  http://www.apc.com/us/en/faqs

Posted in: General

Uploading Private SSL Certificates

Subscribe to RSS
  • Hey All,

    Sorry I was on leave, here a new link for future reference:

    https://schneider-electric.box.com/s/2vetd44vxp24j9dudcsupro52xjbq4dl

    -Gavan

  • Thank you everyone!  Version 1.0 was the trick to getting it to work! 

    Tony

  • Hi Gavan,

    Now I am having trouble getting a cert to load on a SmartUPS-1500 with a NMC2 card.  I am able to create the .p15 cert ok, after I upload it in the webui, it just keeps saying "loading certificate"  eventually the default cert gets regenerated but it keeps saying "loading certificate" until I reboot the nmc.  What am I doing wrong?

    Tony

  • Have you checked if the date/time are correct on the UPS?

  • Hi Scott,

       yeh I have it connected to our ntp server :/  I saw your earlier post about time and was hoping that was it , but no unfortunately.  

    thank you,
    Tony

  • This is what I get every time I tried to upload a new cert to any of my 9630 NMC2 cards running 6.4.0 or 6.9.6, doesn't matter what version.  Same cert works fine on my 9640 NMC3 card.  Help!

    Thank you,
    Tony

  • Hmm, if it works fine on your NMC3 cards but not your NMC2 cards then it might be to do with the security used.

    The NMC2 supports certificates up to SHA256RSA, 2048 bit key length and no intermediate certificates.

    I can review them if you'd like? Just upload the the unsigned .p15 file, the CER/CRT response from your CA, the signed .p15 file and a text file with the commands you used to the link below:

    https://schneider-electric.app.box.com/f/9eb2a0a65ead4f40991eada42446358d

    -Gavan

  • Hi Gavan,  sorry for the late response I had other issues happening that I had to address.  When I look at the certificate that was generated in the chain there are 2 certs,  our Root CA(which is turned off) and our Sub CA which actually signed it.  So I assume this sort of setup wouldn't work?  RCA-->SCA-->Cert ?

    Thank you,
    Tony

  • It depends, sometimes you can edit the CER/CRT, file remove the intermediate cert and everything will work.

    1. Open it in notepad
    2. Remove everything before -----BEGIN CERTIFICATE-----
    3. Remove everything after -----END CERTIFICATE-----
    4. Save
    5. Create a new .p15 file by combining the modified cer/crt with the original .p15 file
    6. Upload and test
  • Hi Gavan,

    So I looked at the signed cert I got from our SCA and in it there is only one entry "begin cert" then "end cert".  When I look at the cert using windows it shows this as the chain:

    top being our RCA the middle the SCA and then the actual cert on the bottom.  I also checked its using Sha256rsa.  Any other thoughts?  Thank you for your help!!

    Tony

  • If you want to upload all the files I requested earlier to the box link I can have a more detailed look.

    -Gavan

  • We're generating CSR's and private key's using NMC Security.
    The CSR's are being sent to our in-house Microsoft CA.
    The CA signed cert and the original private key from the CSR generation are imported using NMC Security.
    Attempting to upload and apply the certificate returns "no certificate installed".

    Model Number: AP7723

    Version: v3.9.2

  • Hi Gavan,

        I wanted to let you know that once I switched to a 2 year certificate from a 5 year template the NMC2 card accepted the certificate.  As far as I can tell that was the only difference between the 2 cert templates on our MS CA server.  Our NMC3 card will accept the 5 year certificate though!  Go figure!

    Tony

  • Hey, Did you finally get an answered? I'm having the same issue and is very frustrating. 

  • Yes, 2 things that I needed to know 1) you need version 1.0 of their nmcli wizard to convert your cert to p15 format.  2) if you are using NMC2 cards make sure the cert you generate is 2 years, if NMC3 5 year is ok.   Thats about all I know, but at least it got the certs installed on my management cards!  HTH

    Tony

  • I upgraded the UPS to 6.9.6, and use the 1.0 NSW CLI, The process for generate the key runs smooth and confirm the p15 generate successful but when I try to upload to UPS takes forever.

     

  • What is the length of the cert you created on your CA?

  • Let me clarify,  was it a 1 year 2 year, 3 year etc?

  • Is Two Year, length the Key I'm using is 2048.

  • Ok,  NMC2 or NMC3 management card?

  • Is a NMC2 integrated to the UPS.

  • I have installed 30+ certs on NMC2 cards, AP9630 without any issues.  We have started to move to NMC3, AP9640, cards and can't seem to get a cert to load.  Used the exact same process:

    1. Create .CSR file using NMCSecurityWizard v1.0.0
      • NMCSecurityWizardCLI --csr -o timtestsignreq -n device-1.company.com -c US -l "Some City" -g "Companiy" -u "Team Name" -e email@company.com -a 192.168.0.20 -i https://device-1 -d device-1
    2. Go to our internal Cert Auth and create cert using the .csr file dropping everything before and after the Begin and End Cert
    3. Copy .CER to the same folder as the .p15 created in Step 1 above and run the following
      • NMCSecurityWizardCLI --import -o upsnewcert -s device-1.cer -p timtestsignreq
        • Results log show it completed without error
    4. Login to UPS and attempt to upload the upnewcert.p15 file
      • It spins for a few seconds and the completes
      • Check the Cert, it is still the self-generated APC cert
    5. SSH to the UPS and the /ssl folder contains the upsnewcert.p15 file

    Any idea why the it does not seem to recognize the cert in the ssl folder?

  • Hi Tim,

    Upload the cert via the NMC web interface, the usual way.

    Then, can you try to SSH to the NMC3 and issue this command?

    ssl key -i ssl/certificate-name.p15

    Once you have done the above, run this command to see if the cert is loaded correctly.

    ssl cert -s

    Please let me know how this goes for you.

  • That did it!  Thank you!

  • This is what I get every time I tried to upload a new cert  NMC2 cards running  6.9.6, doesn't matter what version.   Help!

    Thank you,

Page 4 of 4 (100 items)
Choose your language:  
powered by Communifire
Version 8.0.7757.16597