[KB8274] Create a Certification Authority or certificates for ESET PROTECT On-Prem using the Windows command line

Issue

• Prerequisites
• Use the Windows command line to create a Certification Authority and certificates

Solution

Prerequisites

Install OpenSSL (for Windows). OpenSSL enables you to create signed certificates.

Use the Windows command line to create a Certification Authority and certificates

1. Generate a Certification Authority and its private key. In Command Prompt, run:

   openssl genrsa -out protect-custom-ca.key 2048
   openssl req -x509 -new -nodes -key protect-custom-ca.key -sha256 -days 3650 -out protect-custom-ca.der -outform der -subj "/CN=PROTECT Custom CA"

   You can replace protect-custom-ca for the .key and .der files with filenames of your choice.

2. Create a certificate extension file (protect.ext).

   Certificate extension file

   An extension file defines attributes required for Server and Agent certificates to define their role (end-entity, not Certification Authority) and identity through Subject Alternative Name (SAN), which lists valid DNS names or domains.

   These attributes ensure proper validation and secure communication with ESET PROTECT On-Prem.

   Run the following commands in Command Prompt:

   • For one domain:

     echo authorityKeyIdentifier=keyid,issuer >protect.ext
     echo basicConstraints=CA:FALSE >>protect.ext
     echo keyUsage=digitalSignature,keyEncipherment,dataEncipherment >>protect.ext
     echo subjectAltName=DNS:*.example.com >>protect.ext

   • For multiple domains:

     echo authorityKeyIdentifier=keyid,issuer >protect.ext
     echo basicConstraints=CA:FALSE >>protect.ext
     echo keyUsage=digitalSignature,keyEncipherment,dataEncipherment >>protect.ext
     echo "subjectAltName=DNS:example.com,DNS:*.example.com,DNS:api.example.net" >>protect.ext

   Replace:

   • In authorityKeyIdentifier:
     • keyid
     • issuer

     Replace these with actual values generated by OpenSSL for your Certification Authority.

   • In subjectAltName:
     • the example domains with the DNS names or domains used in your environment
   
   

   Do not change the following commands, as these are mandatory for ESET PROTECT:

   • basicConstraints=CA:FALSE
   • keyUsage=digitalSignature,keyEncipherment,dataEncipherment
     
     

3. Generate the certificate and its private key, and export it to a .pfx file.

   Common Name string

   Common Name (CN) must include a server or agent, depending on the certificate type.

   Run the following commands in Command Prompt:

   • For an ESET PROTECT Server certificate:

     openssl genrsa -out protect-server.key 2048
     openssl req -new -key protect-server.key -subj "/CN=PROTECT Server" | openssl x509 -req -CA protect-custom-ca.der -CAkey protect-custom-ca.key -CAform DER -out protect-server.crt -days 1825 -sha256 -extfile protect.ext
     openssl pkcs12 -export -out protect-server.pfx -inkey protect-server.key -in protect-server.crt -passout pass:password

     Replace password with a strong password of your choice.

   • For an ESET Management Agent certificate:

     openssl genrsa -out protect-agent.key 2048
     openssl req -new -key protect-agent.key -subj "/CN=PROTECT Agent" | openssl x509 -req -CA protect-custom-ca.der -CAkey protect-custom-ca.key -CAform DER -out protect-agent.crt -days 1825 -sha256 -extfile protect.ext
     openssl pkcs12 -export -out protect-agent.pfx -inkey protect-agent.key -in protect-agent.crt -passout pass:password

     Replace password with a strong password of your choice.