Issuing SSL Certificates to APC Devices from Microsoft PKI

Here’s the process I used to issue SSL certificates to each of my APC nework devices:

1. Download and run the “APC Security Wizard” software.  You can get this directly from APC’s website or from the utilities folder of the CD that came with the device.  I recommend checking the website for the newest version just in case a new feature came out.  At the time of this writing, the version was 1.03.

2. Launch the Security Wizard software

3. From the Select Action page, select Certificate Signing Request.  You can also specify a key size with version 1.03 or newer.  Click Next.

CreateCSRWizard1

4. Click Browse and select a location to save the CSR file.  Give it a name while you are at it.  Click Next to continue.

CreateCSRWizard2

5. On the Distinguished Name tab, fill out all the necessary information.  For Common Name, use the IP address or DNS name of the device.  (Note: InfraStruXure Central launches the device pages by IP address so if you want your browser to not throw a security exception, use the IP address)  For validity period, make sure the period end date falls within the guidelines for the certificate template you are going to use to request the cert.  In my case, this was the “Web Server” template which had a maximum validity of 2 years. Click Next

CreateCSRWizard3

6. The Generate File page will summarize your configuration.  Click Next to create the certificate request.

CreateCSRWizard4

7. Click Finish on the final page to complete the CSR file creation.  If you navigate to the location you saved the request, you will see two files were created.  One file is the CSR and the other is the private key saved in .p15 format.

CreateCSRWizard5

8. Open your web browser and navigate to your issuing CA.  Make sure you are running the web browser with a user account that has privileges to make requests for the “Web Server” template.

9. From the main CA page, click Request a certificate

CA_Request1

10. Click Advanced Certificate Request

CA_Request2

11. Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

CA_Request3

12. Open the .csr request file created through the APC Security Wizard earlier and copy the text into the Saved Request box.  Select an appropriate template (In my case this was the “Web Server” template.  I attempted to duplicate the template and rename it APC devices from my issuing CA but I was unsuccessful getting the Security Wizard to use any certificates signed with the duplicated template.)  Click Submit

CA_Request4

13. The Web Server template on my CA is setup to automatically approve requests, so I did not need to approve the request.  You may need to go into your CA to manually approve the request.  Once the certificate has been signed, download it to the same place as your .csr and .p15 files.  Click Base 64 encoded option and then Download certificate

CA_Request5

14. At this point you now have three files, a certificate request (.csr), a private key (.p15) and a signed certificate (.cer) Now it’s time to create the certificate that will be uploaded to the APC device.  Launch the APC Security Wizard tool.  Click Next on the first page of the wizard.

15. Click Import Signed Certificate and click Next

ImportCertWizard1

16. Browse to the location of your signed certificate and click Next

ImportCertWizard2

17. Browse to the location of your private key file and click Next

ImportCertWizard3

18. Give your new certificate a name.  Make sure it isn’t the same as your original request.  Click Next

ImportCertWizard4

19. Check all the information on the summary page before clicking Next to generate the certificate.

20. Click Finish to complete the certificate generation.

21. The next step is to upload your new certificate to your APC device.  Open a web browser and navigate to the devices IP or DNS name.  Login to the administrative interface.

UploadCert1

22. Navigate to the Administration tab, then click the Network sub-tab.

UploadCert2

23. Under the Web section, click ssl certificate

UploadCert3

24. Click the Browse button and navigate to your completed certificate.  Click Apply to upload and install the new certificate.  You may need to restart the network management card for the new cert to take effect.

UploadCert4

25. Now you need to tell the web interface to allow only SSL traffic.  You do this under the Web section by clicking on access and choosing the option for Enable HTTPS.  Again you may need to reboot for this to take effect.

 

That’s it, you’re now setup with a certificate issued by your Microsoft PKI!  I ran into some strange issues when duplicating the “Web Server” template on my CA and attempting to sign certifcates with it.  The CA would sign them successfully but the APC Security Wizard would error out during the import process with an error -32 . I spent a few hours playing with this but was unable to find a solution other then just using the Web Server template.

Advertisements

6 responses to “Issuing SSL Certificates to APC Devices from Microsoft PKI

  1. Hi Mike, great tutorial. I had version 1.01 of the security wizard and couldn’t manage to get our MS CA issued certs installed. I downloaded the 1.04 version and following your instruction was a breeze, thanks!

  2. Tested and working on the apc-ap7921 with server 2012 CA.
    wouldnt work with 2048 bit key though had to revert to 1024

  3. Alberto de_la_Torre

    Would love to figure out why when you create a duplicate of the “Web Server” template it fails with error -32. I hammered at this for 4 hours today and couldn’t get it to work. Does anyone have any suggestions on how to troubleshoot?

  4. Alberto de_la_Torre

    The only difference between using the default “Web Server” template and one you create by duplicating it is the addition of a Field called “Application Policies”. This appears to be a Microsoft Construct (I’m using Microsoft pki to generate my certs). I can not find any reference to “application policies” in the pki rfc’s. Ideally the APC Security Wizard would ignore it, but I believe this is what is causing the error -32 failure.

  5. Great tutorial – anyone know how to include the certificate chain? Firefox complains that “The certificate is not trusted because no issuer chain was provided”.

  6. Great article and thanks to responders for additional help. Confirmed that the at least on my APC PDU’s and older cards, only 1024 bit certs will upload

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s