2024-01-26 01:20:07 +00:00
|
|
|
# APC P15 Tool
|
2024-01-27 16:55:34 +00:00
|
|
|
A tool to create APC p15 formatted certificates from pem files, without
|
2024-01-26 01:20:07 +00:00
|
|
|
having to use APC's closed-source tool, APC generated keys, or other
|
|
|
|
proprietary tools (such as cryptlib).
|
|
|
|
|
2024-02-04 14:36:15 +00:00
|
|
|
## Compatibility Notice
|
|
|
|
|
|
|
|
This tool's create functionality is modeled from the APC NMCSecurityWizardCLI
|
|
|
|
aka `NMC Security Wizard CLI Utility`. The files it generates should be
|
2024-02-04 15:59:58 +00:00
|
|
|
comaptible with any UPS that accepts p15 files from that tool. Only RSA 1,024
|
|
|
|
and 2,048 bit keys are accepted. 1,024 bit RSA is no longer considered
|
|
|
|
completely secure; avoid keys of this size if possible. Most (all?) public
|
|
|
|
ACME services won't accept keys of this size anyway.
|
2024-02-04 14:36:15 +00:00
|
|
|
|
|
|
|
The install functionality is a custom creation of mine so it may or may not
|
|
|
|
work depending on your exact setup. My setup (and therefore the testing
|
|
|
|
setup) is:
|
|
|
|
- APC Smart-UPS 1500VA RM 2U SUA1500RM2U (Firmware Revision 667.18.D)
|
|
|
|
- AP9631 NMC2 Hardware Revision 05 running AOS v7.0.4 and Boot Monitor
|
|
|
|
v1.0.9.
|
|
|
|
|
|
|
|
If you have problems you can post the log in an issue and I can try to fix it
|
|
|
|
but it may be difficult without your particular hardware to test with.
|
|
|
|
|
|
|
|
In particular, if you are experiencing `ssh: handshake failed:` please run
|
|
|
|
`ssh -vv myups.example.com` and include the `peer server KEXINIT proposal`
|
|
|
|
in your issue. For example:
|
|
|
|
|
|
|
|
```
|
|
|
|
debug2: peer server KEXINIT proposal
|
|
|
|
debug2: KEX algorithms: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,ecdh-sha2-nistp256
|
|
|
|
debug2: host key algorithms: ssh-rsa
|
|
|
|
debug2: ciphers ctos: aes256-ctr,aes128-ctr,aes256-cbc,aes128-cbc
|
|
|
|
debug2: ciphers stoc: aes256-ctr,aes128-ctr,aes256-cbc,aes128-cbc
|
|
|
|
debug2: MACs ctos: hmac-sha2-256,hmac-sha1
|
|
|
|
debug2: MACs stoc: hmac-sha2-256,hmac-sha1
|
|
|
|
debug2: compression ctos: none
|
|
|
|
debug2: compression stoc: none
|
|
|
|
debug2: languages ctos:
|
|
|
|
debug2: languages stoc:
|
|
|
|
```
|
|
|
|
|
2024-01-27 16:55:34 +00:00
|
|
|
## Usage
|
2024-01-26 01:20:07 +00:00
|
|
|
|
2024-02-03 15:54:32 +00:00
|
|
|
Currently the tool contains two commands: create and install. The tool
|
|
|
|
can be run with the --help flag to see options.
|
2024-01-27 16:55:34 +00:00
|
|
|
|
2024-02-03 15:54:32 +00:00
|
|
|
i.e. `./apc-p15-tool --help`
|
|
|
|
|
|
|
|
Help can also be run on a subcommand to see the options for that
|
|
|
|
subcommand.
|
|
|
|
|
|
|
|
e.g. `./apc-p15-tool install --help`
|
|
|
|
|
|
|
|
### Create
|
|
|
|
|
|
|
|
Create creates an apc p15 file from given key and cert pem files or
|
|
|
|
content.
|
|
|
|
|
|
|
|
e.g. `./apc-p15-tool create --keyfile ./apckey.pem --certfile ./apccert.pem`
|
|
|
|
|
|
|
|
The command outputs ./apctool.p15 by default. This file can be
|
|
|
|
directly loaded on to an APC NMC2 (Network Management Card 2).
|
|
|
|
|
|
|
|
### Install
|
|
|
|
|
|
|
|
Install works similarly to create except it doesn't save the p15 file
|
|
|
|
to disk. It instead uploads the p15 file directly to the specified
|
|
|
|
remote host, via scp.
|
|
|
|
|
|
|
|
e.g. `./apc-p15-tool install --keyfile ./apckey.pem --certfile ./apccert.pem --apchost myapc.example.com:22 --username apc --password someSecret --fingerprint 123abc`
|
|
|
|
|
|
|
|
## Note About Install Automation
|
|
|
|
|
|
|
|
The application supports passing all args instead as environment
|
|
|
|
variables by prefixing the flag name with `APC_P15_TOOL`.
|
|
|
|
|
|
|
|
e.g. `APC_P15_TOOL_KEYPEM`
|
|
|
|
|
|
|
|
Additionally, there is a second binary built with just the install
|
|
|
|
command so the subcommand is not needed.
|
|
|
|
|
|
|
|
There are mutually exclusive flags that allow specifying the pem
|
|
|
|
as either filenames or directly as strings. The strings are useful
|
|
|
|
for passing the pem content from another application without having
|
|
|
|
to save the pem files to disk.
|
|
|
|
|
|
|
|
Putting all of this together, you can combine the install binary with
|
|
|
|
a tool like LeGo CertHub (https://www.legocerthub.com/) to call the
|
|
|
|
install binary, with environment variables, to directly upload new
|
|
|
|
certificates as they're issued by LeGo, without having to write a
|
|
|
|
separate script.
|
|
|
|
|
|
|
|
![LeGo CertHub with APC P15 Tool](https://raw.githubusercontent.com/gregtwallace/apc-p15-tool/main/img/apc-p15-tool.png)
|
2024-02-03 18:12:59 +00:00
|
|
|
|
|
|
|
## Thanks
|
|
|
|
|
|
|
|
Special thanks to the following people and resources which helped me
|
|
|
|
deduce how all of this works:
|
|
|
|
|
|
|
|
https://github.com/dnlmengs/pemtrans
|
|
|
|
|
|
|
|
https://github.com/freddy36/apc_tools
|
|
|
|
|
|
|
|
http://lapo.it/asn1js/
|