apc-p15-tool/README.md

109 lines
4.1 KiB
Markdown
Raw Normal View History

2024-01-26 01:20:07 +00:00
# APC P15 Tool
2024-01-27 16:55:34 +00:00
A tool to create APC p15 formatted certificates from pem files, without
2024-01-26 01:20:07 +00:00
having to use APC's closed-source tool, APC generated keys, or other
proprietary tools (such as cryptlib).
2024-02-04 14:36:15 +00:00
## Compatibility Notice
This tool's create functionality is modeled from the APC NMCSecurityWizardCLI
aka `NMC Security Wizard CLI Utility`. The files it generates should be
comaptible with any UPS that accepts p15 files from that tool. Only RSA 1,024
and 2,048 bit keys are accepted. 1,024 bit RSA is no longer considered
completely secure; avoid keys of this size if possible. Most (all?) public
ACME services won't accept keys of this size anyway.
2024-02-04 14:36:15 +00:00
The install functionality is a custom creation of mine so it may or may not
work depending on your exact setup. My setup (and therefore the testing
setup) is:
- APC Smart-UPS 1500VA RM 2U SUA1500RM2U (Firmware Revision 667.18.D)
- AP9631 NMC2 Hardware Revision 05 running AOS v7.0.4 and Boot Monitor
v1.0.9.
If you have problems you can post the log in an issue and I can try to fix it
but it may be difficult without your particular hardware to test with.
In particular, if you are experiencing `ssh: handshake failed:` first try
using the `--insecurecipher` flag. If this works, you should upgrade your
NMC to a newer firmware which includes secure ciphers. You should NOT automate
your environment using this flag as SSH over these ciphers is broken and
exploitable. If this also does not work, please run `ssh -vv myups.example.com`
and include the `peer server KEXINIT proposal` in your issue. For example:
2024-02-04 14:36:15 +00:00
```
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,ecdh-sha2-nistp256
debug2: host key algorithms: ssh-rsa
debug2: ciphers ctos: aes256-ctr,aes128-ctr,aes256-cbc,aes128-cbc
debug2: ciphers stoc: aes256-ctr,aes128-ctr,aes256-cbc,aes128-cbc
debug2: MACs ctos: hmac-sha2-256,hmac-sha1
debug2: MACs stoc: hmac-sha2-256,hmac-sha1
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos:
debug2: languages stoc:
```
2024-01-27 16:55:34 +00:00
## Usage
2024-01-26 01:20:07 +00:00
2024-02-03 15:54:32 +00:00
Currently the tool contains two commands: create and install. The tool
can be run with the --help flag to see options.
2024-01-27 16:55:34 +00:00
2024-02-03 15:54:32 +00:00
i.e. `./apc-p15-tool --help`
Help can also be run on a subcommand to see the options for that
subcommand.
e.g. `./apc-p15-tool install --help`
### Create
Create creates an apc p15 file from given key and cert pem files or
content.
e.g. `./apc-p15-tool create --keyfile ./apckey.pem --certfile ./apccert.pem`
The command outputs ./apctool.p15 by default. This file can be
directly loaded on to an APC NMC2 (Network Management Card 2).
### Install
Install works similarly to create except it doesn't save the p15 file
to disk. It instead uploads the p15 file directly to the specified
remote host, via scp.
e.g. `./apc-p15-tool install --keyfile ./apckey.pem --certfile ./apccert.pem --apchost myapc.example.com:22 --username apc --password someSecret --fingerprint 123abc`
## Note About Install Automation
The application supports passing all args instead as environment
variables by prefixing the flag name with `APC_P15_TOOL`.
e.g. `APC_P15_TOOL_KEYPEM`
Additionally, there is a second binary built with just the install
command so the subcommand is not needed.
There are mutually exclusive flags that allow specifying the pem
as either filenames or directly as strings. The strings are useful
for passing the pem content from another application without having
to save the pem files to disk.
Putting all of this together, you can combine the install binary with
2024-04-15 23:36:35 +00:00
a tool like Cert Warden (https://www.certwarden.com/) to call the
2024-02-03 15:54:32 +00:00
install binary, with environment variables, to directly upload new
2024-04-15 23:36:35 +00:00
certificates as they're issued by Cert Warden, without having to write a
2024-02-03 15:54:32 +00:00
separate script.
2024-04-15 23:36:35 +00:00
![Cert Warden with APC P15 Tool](https://raw.githubusercontent.com/gregtwallace/apc-p15-tool/main/img/apc-p15-tool.png)
2024-02-03 18:12:59 +00:00
## Thanks
Special thanks to the following people and resources which helped me
deduce how all of this works:
https://github.com/dnlmengs/pemtrans
https://github.com/freddy36/apc_tools
http://lapo.it/asn1js/