Generate .p15 (PKCS#15) file with key/certificate?

Kind of an oddball question, I expect, but since Let’s Encrypt is up and running and giving free, trusted TLS certs, I want to ENCRYPT ALL THE THINGS!! Including internal servers, which don’t really need trusted certs, but browsers are getting pickier all the time about dealing with self-signed certs.

The current example is an APC UPS with the Network Management Card 2. That card gives a pretty nice web UI, SNMP capabilities, etc., and supports TLS connections for the web UI. It also allows you to upload your own TLS cert to the unit, rather than relying only on an auto-generated cert on the unit.

The problem is that it requires the cert to be in a .p15 format. Some Googling last night didn’t turn up a great deal of information on this format, and what I did found seemed more related to smart cards than to anything I’m interested. I understand that it’s somewhat similar to PKCS#12, in that a private key and a certificate are bundled into the same file. Is there any way I can turn the cert/chain/key files from Let’s Encrypt into a .p15 file for the UPS?

4 Likes

./pemtrans file.key file.crt keyset.p15 "common name" "password"

If pemtrans doesn't work for your device, try the APC specific fork - GitHub - freddy36/apc_tools: Tools for APC devices

3 Likes

Ah, I’d seen pemtrans, but didn’t quite see how it would work with my device. The APC fork, though, looks like just what I need. Thanks!

3 Likes

Did you ever get something automated to use letsencrypt certs on APC equipment? The short expiration window kills any idea of doing this manually.

Thanks!

1 Like

No, I gave up on the idea. I wasn’t able to make pemtrans work, but even if I had I didn’t see that there was a way to automate deployment.

3 Likes

Not to bump a dead thread, but if you're still having this issue I created an open source tool to create the expected .p15 file from regular key.pem and cert.pem files. It only supports 2048 bit keys though (since I made it for use with public ACME services, which only allow 2048 bit keys as the smallest.

It also has a built in function to directly install the pem files on a UPS.

5 Likes

I'd long since given up on it, but this looks like it could do what I need. Since you say it only supports 2048-bit keys, I assume that also means it only supports RSA keys/certs. And it looks like it wants the SSH host key fingerprint without colons?

4 Likes

Yes, only RSA. The original tool only supported RSA1024 and 2048 so I didn’t even bother to try otherwise. I highly doubt it would work as the NMC almost certainly doesn’t have the code.

As for fingerprint, if you’re just making the p15 file you don’t need it. If you want the automated install the sha256 fingerprint without colons is needed. It can either be in base64 format or hex. If you want to know yours you can run the command with —debug and it will print the fingerprint from the connection (obviously make sure your connection is secure). This is mandatory since it is akin to validating an ssl cert connection.

4 Likes

Once older SSH algorithms are enabled, this does just what it says on the tin. Great! Now I'm seeing this:
image

...which is exactly what should be there.

One other question, though: once a new cert is uploaded, do I need to do anything to get the NMC to use it, like a restart/reload? Or does your tool handle whatever's needed for that as well?

4 Likes

It’s interesting. If you upload the file via the webui it tells you to restart the webui to get it to load. However, when I copy it with scp it starts using it right away.

I’m not sure if all NMCs do that, but I’m planning to add a restart option. You can test it by pushing two different certs back and forth and if it doesn’t make you restart you’re good.

2 Likes

I've now used your tool with a new cert, and I'm seeing the same thing. I had to restart the NMC to enable HTTPS, but cert changes don't seem to require it on mine either.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.