Here’s the process I used to issue SSL certificates to each of my APC nework devices:
1. Download and run the “APC Security Wizard” software. You can get this directly from APC’s website or from the utilities folder of the CD that came with the device. I recommend checking the website for the newest version just in case a new feature came out. At the time of this writing, the version was 1.03.
2. Launch the Security Wizard software
3. From the Select Action page, select Certificate Signing Request. You can also specify a key size with version 1.03 or newer. Click Next.
4. Click Browse and select a location to save the CSR file. Give it a name while you are at it. Click Next to continue.
5. On the Distinguished Name tab, fill out all the necessary information. For Common Name, use the IP address or DNS name of the device. (Note: InfraStruXure Central launches the device pages by IP address so if you want your browser to not throw a security exception, use the IP address) For validity period, make sure the period end date falls within the guidelines for the certificate template you are going to use to request the cert. In my case, this was the “Web Server” template which had a maximum validity of 2 years. Click Next
6. The Generate File page will summarize your configuration. Click Next to create the certificate request.
7. Click Finish on the final page to complete the CSR file creation. If you navigate to the location you saved the request, you will see two files were created. One file is the CSR and the other is the private key saved in .p15 format.
8. Open your web browser and navigate to your issuing CA. Make sure you are running the web browser with a user account that has privileges to make requests for the “Web Server” template.
9. From the main CA page, click Request a certificate
10. Click Advanced Certificate Request
11. Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
12. Open the .csr request file created through the APC Security Wizard earlier and copy the text into the Saved Request box. Select an appropriate template (In my case this was the “Web Server” template. I attempted to duplicate the template and rename it APC devices from my issuing CA but I was unsuccessful getting the Security Wizard to use any certificates signed with the duplicated template.) Click Submit
13. The Web Server template on my CA is setup to automatically approve requests, so I did not need to approve the request. You may need to go into your CA to manually approve the request. Once the certificate has been signed, download it to the same place as your .csr and .p15 files. Click Base 64 encoded option and then Download certificate
14. At this point you now have three files, a certificate request (.csr), a private key (.p15) and a signed certificate (.cer) Now it’s time to create the certificate that will be uploaded to the APC device. Launch the APC Security Wizard tool. Click Next on the first page of the wizard.
15. Click Import Signed Certificate and click Next
16. Browse to the location of your signed certificate and click Next
17. Browse to the location of your private key file and click Next
18. Give your new certificate a name. Make sure it isn’t the same as your original request. Click Next
19. Check all the information on the summary page before clicking Next to generate the certificate.
20. Click Finish to complete the certificate generation.
21. The next step is to upload your new certificate to your APC device. Open a web browser and navigate to the devices IP or DNS name. Login to the administrative interface.
22. Navigate to the Administration tab, then click the Network sub-tab.
23. Under the Web section, click ssl certificate
24. Click the Browse button and navigate to your completed certificate. Click Apply to upload and install the new certificate. You may need to restart the network management card for the new cert to take effect.
25. Now you need to tell the web interface to allow only SSL traffic. You do this under the Web section by clicking on access and choosing the option for Enable HTTPS. Again you may need to reboot for this to take effect.
That’s it, you’re now setup with a certificate issued by your Microsoft PKI! I ran into some strange issues when duplicating the “Web Server” template on my CA and attempting to sign certifcates with it. The CA would sign them successfully but the APC Security Wizard would error out during the import process with an error -32 . I spent a few hours playing with this but was unable to find a solution other then just using the Web Server template.