Kind of an oddball question, I expect, but since Let’s Encrypt is up and running and giving free, trusted TLS certs, I want to ENCRYPT ALL THE THINGS!! Including internal servers, which don’t really need trusted certs, but browsers are getting pickier all the time about dealing with self-signed certs.
The current example is an APC UPS with the Network Management Card 2. That card gives a pretty nice web UI, SNMP capabilities, etc., and supports TLS connections for the web UI. It also allows you to upload your own TLS cert to the unit, rather than relying only on an auto-generated cert on the unit.
The problem is that it requires the cert to be in a .p15 format. Some Googling last night didn’t turn up a great deal of information on this format, and what I did found seemed more related to smart cards than to anything I’m interested. I understand that it’s somewhat similar to PKCS#12, in that a private key and a certificate are bundled into the same file. Is there any way I can turn the cert/chain/key files from Let’s Encrypt into a .p15 file for the UPS?
Not to bump a dead thread, but if you're still having this issue I created an open source tool to create the expected .p15 file from regular key.pem and cert.pem files. It only supports 2048 bit keys though (since I made it for use with public ACME services, which only allow 2048 bit keys as the smallest.
It also has a built in function to directly install the pem files on a UPS.
I'd long since given up on it, but this looks like it could do what I need. Since you say it only supports 2048-bit keys, I assume that also means it only supports RSA keys/certs. And it looks like it wants the SSH host key fingerprint without colons?
Yes, only RSA. The original tool only supported RSA1024 and 2048 so I didn’t even bother to try otherwise. I highly doubt it would work as the NMC almost certainly doesn’t have the code.
As for fingerprint, if you’re just making the p15 file you don’t need it. If you want the automated install the sha256 fingerprint without colons is needed. It can either be in base64 format or hex. If you want to know yours you can run the command with —debug and it will print the fingerprint from the connection (obviously make sure your connection is secure). This is mandatory since it is akin to validating an ssl cert connection.
Once older SSH algorithms are enabled, this does just what it says on the tin. Great! Now I'm seeing this:
...which is exactly what should be there.
One other question, though: once a new cert is uploaded, do I need to do anything to get the NMC to use it, like a restart/reload? Or does your tool handle whatever's needed for that as well?
It’s interesting. If you upload the file via the webui it tells you to restart the webui to get it to load. However, when I copy it with scp it starts using it right away.
I’m not sure if all NMCs do that, but I’m planning to add a restart option. You can test it by pushing two different certs back and forth and if it doesn’t make you restart you’re good.
I've now used your tool with a new cert, and I'm seeing the same thing. I had to restart the NMC to enable HTTPS, but cert changes don't seem to require it on mine either.