[KB6804] Create a new custom certificate or certification authority for ESET Security Management Center (7.x)

Solution

ESET business product in Limited Support status

This article applies to an ESET product version that is currently in Limited Support status and is scheduled to reach End of Life status soon.

For a complete list of supported products and support level definitions, review the ESET End of Life Policy for business products.

Upgrade ESET business products.

  1. You need to have OpenSSL version 1.1.1g (for Windows) installed. The OpenSSL application allows you to create signed certificates.

  2. Generate  the .key file and cert for CA. Run the following code in the Command Prompt. You can substitute the esmc-custom-ca.key and esmc-custom-ca.der filename with your custom name.

openssl genrsa -out emsc-custom-ca.key 2048
openssl req -x509 -new -nodes -key emsc-custom-ca.key -sha256 -days 3650 -out emsc-custom-ca.der -outform der -subj "/CN=ESMC Custom CA"
  1.  Create the ESMC certificate extensions file.
keyUsage and subjectAltName values
Make sure that you use the values provided in the example above: 
  • keyUsage=digitalSignature,keyEncipherment,dataEncipherment
  • Subject Alternative Name (SAN) should be defined as DNS:* for ESMC Server and subjectAltName=DNS:* for all Agents.
echo authorityKeyIdentifier=keyid,issuer >esmc.ext
echo basicConstraints=CA:FALSE >>esmc.ext
echo keyUsage=digitalSignature,keyEncipherment,dataEncipherment >>esmc.ext
echo subjectAltName=DNS:* >>esmc.ext
  1. Generate key and cert for ESMC Server and export to .pfx file. Replace the password with a proper password.
Common Name (CN) string

The Common Name (CN) must contain one of these strings: "server" or "agent"depending on which Certificate Request you want to create.

openssl genrsa -out esmc-server.key 2048
openssl req -new -key esmc-server.key -subj "/CN=ESMC Server" | openssl x509 -req -CA emsc-custom-ca.der -CAkey emsc-custom-ca.key -CAform DER -out esmc-server.crt -days 1825 -sha256 -extfile esmc.ext
openssl pkcs12 -export -out esmc-server.pfx -inkey esmc-server.key -in esmc-server.crt -passout pass:password
  1. Generate key and cert for ESMC Agent and export to .pfx file. Replace the password with a proper password.
openssl genrsa -out esmc-agent.key 2048
openssl req -new -key esmc-agent.key -subj "/CN=ESMC Agent" | openssl x509 -req -CA emsc-custom-ca.der -CAkey emsc-custom-ca.key -CAform DER -out esmc-agent.crt -days 1825 -sha256 -extfile esmc.ext
openssl pkcs12 -export -out esmc-agent.pfx -inkey esmc-agent.key -in esmc-agent.crt -passout pass:password