[KB6824] "Peer certificate is going to expire" error in ESET Security Management Center (7.x)

Issue

Required user permissions

This article assumes that you have the appropriate access rights and permissions to perform the tasks below.

If you use the default Administrator user or are unable to perform the tasks below (the option is unavailable), create a second administrator user with all access rights.

ESET business product in Limited Support status

This article applies to an ESET product version that is currently in Limited Support status and is scheduled to reach End of Life status soon.

For a complete list of supported products and support level definitions, review the ESET End of Life Policy for business products.

Upgrade ESET business products.

  • “Peer certificate is going to expire” or “Peer certificate is invalid” message in ESMC Web Console
  • Endpoints stop checking in to ESET Security Management Center

Figure 1-1
Click the image to view larger in new window

Details

As part of the installation process, ESET Security Management Center requires that you create a peer certificate authority and a peer certificate for Agents. These certificates are used to authenticate products distributed under your license. 

What happens when the Agent certificate expires?

There will be no notification from the Agent, but you will see warnings in the ESMC Web Console for 30 days prior to expiration. Once expired, the Agent will still attempt to connect and client computers will not be removed automatically, but they will stop connecting and the server task Delete not connecting computers will eventually remove them if configured to do so.

 

Solution

See the following article if you do not know how to create a new peer certificate or Certification Authority:

Certificates contained in Static Group All:

Peer certificates and Certification Authority created during the installation are by default contained in the static group All.

Scenario 1: Agent Certificate is going to expire

Agents are connecting to ESMC Server. Make sure that Agent certificate will not expire sooner than its expiration date.

  1. Create a new Agent peer certificate.
     
  2. Create and apply a new ESET Management Agent policy and distribute the newly created Agent peer certificate.

Do not delete the old certificate until the new certificate is applied on all Agents.

Scenario 2: Agent Certificate is invalid (expired)

If Agents cannot connect to ESMC Server, redeploy the ESET Management Agent on all machines that use the expired Agent certificate.

  1. Create a new Agent peer certificate:
    • After successfully creating the Agent certificate, it will be available in the Certificates list (More → Certificates → Peer Certificates) to use when installing the Agent.
       
  2. Redeploy the Agent with the new Agent peer certificate.

Scenario 3: Server Certificate is expiring soon

If the Certification Authority is expired too, proceed with the Scenario 5 instead of this scenario.

  1. Create a new Server certificate (select Server from the Product drop-down menu).
     
  2. Select your new ESMC Server certificate.

Scenario 4: Server Certificate is invalid (expired)

Agents cannot connect to ESMC Server because the Server certificate is expired. After setting up a new Server certificate, Agents with a valid certificate will be able to connect to ESMC Server.

If the Certification Authority is expired too, proceed with the Scenario 6 instead of this scenario.

  1. Create a new Server certificate (select Server from the Product drop-down menu).
     
  2. Select your new ESMC Server certificate.

Scenario 5: Certification Authority is expiring soon

Agents are connecting to ESMC Server, however, after creating a new Certification Authority (CA), all certificates you use must be replaced: Server, Agent, MDM, Virtual Agent Host.

  1. Create a new CA and be sure to use a new Common Name different from the expired CA.
     
  2. Create a new Server certificate (select Server from the Product drop-down menu) and sign it with the newly created CA.
     
  3. Create new certificates for other product components as needed (Agent, MDM, Virtual Agent Host).
     
  4. Create and apply a new ESET Management Agent policy and distribute the newly created Agent peer certificate.
     
  5. Apply other peer certificates using policies.
     
  6. Wait for replication of the new certificate and certification authority to all Agents.
     
  7. Wait for replication of the new certificate and certification authority to all other product components (if used).
     
  8. Select your new ESMC Server certificate.

Do not delete the expiring CA until new certificates are applied on all components.

Scenario 6: Certification Authority is invalid (expired)

Agents cannot connect to ESMC Server. Create a new certification authority (CA). All certificates you use must be replaced: Server, Agent, MDM, Virtual Agent Host.

  1. Create a new CA and be sure to use a new Common Name different from the expired CA.
  1. Create a new Server certificate (select Server from the Product drop-down menu) and sign it with the newly created CA.
  1. Create new certificates for other product components as needed (Agent, MDM, Virtual Agent Host).
     
  2. Redeploy the Agent with the new Agent peer certificate.
     
  3. Select your new ESMC Server certificate.

 


Troubleshooting logs

When a client computer does not appear to be connecting to your ESMC Server, we recommend that you perform ESET Management Agent troubleshooting locally on the client machine. See the following ESET Online Help topic for more information.