Deploying An Internal HTTPS Certificate for a UPS APC with ADCS (Active Directory Certificate Services) with APC P15 Tool

<sub>(2025/05/21)</sub> #ADCS #Certificates #microsoft #WindowsServer ## Introduction Recently I had the opportunity to deploy a new Active Directory Certificate Service (ADCS) server in my environment with a new root certificate which allowed me to finally deploy internal certificates for HTTPS usage. Unfortunately, for the handful of APC UPSes I have, I found that deploying an internal ADCS certificate to their web management pages within their Network Management Cards (NMCs)was an obtuse process until I managed to figure it out with the help of a wonderful tool called `APC P15 Tool`. Previously, you had to use a suite of tools from APC in order to deploy certificates to your NMCs but `APC P15 Tool` now makes it an effortless experience. My environment: * ADCS Server running on Windows Server 2022 * APC Smart-UPS X 3000 devices (SKU SMX3000LVNC) * UPS Network Management Cards 2 -> model AP9631 ## Perquisites ### Understanding Certificate Limitations Due to limitations with various APC NMCs, the root certificate utilized by your ADCS server must be using `SHA256` or less for the hash algorithm; if your issuing certificate has a hash algorithm greater than `SHA256` (such as`SHA512`) then it will not work and your Network Management Card will reject it (even if it correctly "installs") For a more detailed discussion on this limitation, please see [the following discussion on the APC UPS Data Center & Enterprise Solutions Forum (specifically `MrPunch's` 2023-02-02 01:00 PM post)](https://web.archive.org/web/20250521201631/https://community.se.com/t5/APC-UPS-Data-Center-Enterprise/Uploading-Private-SSL-Certificates/td-p/336853/page/3). ### Update The Firmware on The NMCs If you are like me (and 99% of System Administrators), the firmware on your NMCs have not been updated in a while. Prior to installing your new HTTPS certificate(s), it is strongly advised that you update the firmware on NMCs as it makes for a better, error free experience. > [!note] Note > Updating the firmware on your NMC(s) will NOT restart your APC UPS unit itself but only the management card If you do not update the firmware on your NMCs, then you might receive the following error message later on when attempting to install your certificate with `APC P15 Tool`: * `install: failed to connect to host (ssh: handshake failed: ssh: no common algorithm for client to server cipher; client offered: [[email protected] [email protected] [email protected] aes128-ctr aes192-ctr aes256-ctr], server offered: [aes256-cbc 3des-cbc])` Steps to update NMC firmware: 1. [Browse to the APC website](https://www.apc.com/ca/en/download/software-firmware/) and then navigate to the download page associated with your device's model number 2. Under the firmware category, select the correct firmware for your model of NMC (in my case it is for a AP9631) and then download the .exe installer ![[APC-01.png]] 3. Run the downloaded .exe, the files will then extract to a folder where you launched the .exe (unless you change the location), and then the `NMC Firmware Update Utility` will automatically launch ![[APC-02.png]] 4. From here, enter in your device's host name (or IP), select FTP (which worked in my case unlike SCP), provide your credentials, and then select `Start Update` ![[APC-04.png]] 5. Wait 5 minutes and then the update will finish ![[APC-03.png]] ## Installing a ADCS Certificate There is a three step process we need to follow to install our own HTTPS certificate issued by our ADCS server onto our NMC(s): 1. Generating a CSR 2. Having our ADCS server issue a certificate with the previously generated CSR 3. Installing the newly created certificate with `apc-p15-tool` - We can either use the tool to automatically deploy the certificate for us or install it manually ### Generating a CSR First, we need to generate a certificate signing request for our NMC(s). There are many ways to do this but the easiest way I have found is to use a website such as [Certificate Tools](https://certificatetools.com/) then download the .csr file and private key file. ### Issue a Certificate There are many ways to request a certificate from your certificate authority but the easiest way I have found is utilizing `certreq` 1. Utilizing the .csr file and private .key file from the last step, we will use them to request a certificate from our certificate authority with our certificate template of choice: - If you do not have a custom template designed for HTTPS use, then you can use the default `Web Server` template in ADCS once you have configured your ADCS server to utilize it - Run the following command to request a certificate: `certreq -submit -attrib "CertificateTemplate:YOUR-CERT-TEMPLATE" .\YOURCSR.csr .\YOURKEY.key` - Select the correct certificate authority and select ok ![[APC-08.png]] - Pay special attention to the `RequestID` generated by this request, as you will need this ID later ![[APC-09.png]] 2. Approve the certificate request otherwise skip this step if your certificate is automatically approved ![[APC-10.png]] 3. Download your new certificate - Run the following command but replace `XXX` with your `RequestID` from the previous steps -> `certreq -retrieve XXX` - Then save the certificate locally, naming it whatever you would like with a `.cer` extension ![[APC-11.png]] ![[APC-12.png]] ### Installing the certificate Finally, we are going to download `APC P15 Tool` and use it to it to install our certificate. Essentially what `APC P15 Tool` does is convert our certificate into a `.p15` certificate format that can be used by NMCs. [You can download the latest version of `APC P15 Tool` here under the releases section.](https://github.com/gregtwallace/apc-p15-tool) * Make sure to send the creator some positive feedback and even a donation to say thanks! We can utilize `APC P15 Tool` to deploy our certificate in two ways: 1. We can install the key certificate remotely 2. We can manually install the certificate via the web portal #### Remotely 1. Download the latest version of `APC P15 Tool` for your operating system and unzip the .zip file ![[APC-05.png]] 2. Copy over the previous created certificate and key files to the newly extracted folder containing `APC P15 Tool` and then launch a console session (in my case PowerShell) from this folder (or navigate to it) ![[APC-06.png]] ![[APC-07.png]] 3. We are now going to run the following `APC P15 Tool` command: ``` .\apc-p15-tool.exe install ` --keyfile .\YOURKEY.key ` --certfile .\YOURCERT.cer ` --hostname YOUR-NMC-HOSTNAME ` --username YOURUSERNAME --password YOURPASSWORD ` --fingerprint NMC-SSH-FINGERPRINT ``` - If you do not know your SSH fingerprint for your NMC device, you can put in a random value in for it (such as`ABC1234`) and then attempt to run `APC P15 Tool` which will fail but then will provide you with the correct SSH fingerprint of your device (which you can then use in your command) ![[APC-13.png]] - SSH has to be enabled on your device for this command to work 4. If `APC P15 Tool` ran properly then the NMC now have a HTTPS certificate installed (which can be confirmed by navigating to the NMC's management portal) ![[APC-14.png]] ![[APC-15.png]] #### Web Portal Install 1. Download the latest version of `APC P15 Tool` for your operating system and unzip the .zip file ![[APC-05.png]] 2. Copy over your previous certificate and key files to the newly extracted folder containing `APC P15 Tool` and then launch a console session (in my case PowerShell) from this folder (or navigate to it) ![[APC-06.png]] ![[APC-07.png]] 3. We are now going to run the following command to generate the `.p15` file (the file will be created in the folder where the command was run) - `.\apc-p15-tool.exe create --keyfile .\YOURKEY.key --certfile .\YOURCERT.cer` ![[APC-16.png]] ![[APC-17.png]] 4. Navigate to the NMC's management portal, sign in with your admin account, and then install the newly created `.p15` certificate ![[APC-18.png]] ![[APC-19.png]] 5. Once installed, your NMC now has a HTTPS certificate! ![[APC-15.png]]