[KB8274] Create a new custom certificate or Certification Authority for ESET PROTECT (8.x – 10.x)


MDM and self-signed certificates

If you manage mobile devices, ESET does not recommend using self-signed certificates (including certificates signed by ESET PROTECT Certification Authority), because not all mobile devices let users accept self-signed certificates.

ESET recommends using a custom certificate provided by a third-party Certification Authority (CA).

  1. You need to have OpenSSL version 1.1.1 (for Windows) installed. The OpenSSL application enables you to create signed certificates.

  2. Generate  the .key file and certificate for CA. Run the following code in the Command Prompt. You can substitute the protect-custom-ca.key and protect-custom-ca.der filename with your custom name.

openssl genrsa -out protect-custom-ca.key 2048
openssl req -x509 -new -nodes -key protect-custom-ca.key -sha256 -days 3650 -out protect-custom-ca.der -outform der -subj "/CN=PROTECT Custom CA"
  1.  Create the ESET PROTECT certificate extensions file.
keyUsage and subjectAltName values

Make sure that you use the values provided in the example above: 

  • keyUsage=digitalSignature,keyEncipherment,dataEncipherment
  • Subject Alternative Name (SAN) should be defined as DNS:* for ESET PROTECT Server and subjectAltName=DNS:* for all Agents
echo authorityKeyIdentifier=keyid,issuer >protect.ext
echo basicConstraints=CA:FALSE >>protect.ext
echo keyUsage=digitalSignature,keyEncipherment,dataEncipherment >>protect.ext
echo subjectAltName=DNS:* >>protect.ext
  1. Generate key and certificate for ESET PROTECT Server and export to .pfx file. Replace the password with a proper password.
Common Name (CN) string

The Common Name (CN) must contain one of these strings: "server" or "agent"depending on which Certificate Request you want to create.

openssl genrsa -out protect-server.key 2048
openssl req -new -key protect-server.key -subj "/CN=PROTECT Server" | openssl x509 -req -CA protect-custom-ca.der -CAkey protect-custom-ca.key -CAform DER -out protect-server.crt -days 1825 -sha256 -extfile protect.ext
openssl pkcs12 -export -out protect-server.pfx -inkey protect-server.key -in protect-server.crt -passout pass:password
  1. Generate key and certificate for ESET Management Agent and export to .pfx file. Replace the password with a proper password.
openssl genrsa -out protect-agent.key 2048
openssl req -new -key protect-agent.key -subj "/CN=PROTECT Agent" | openssl x509 -req -CA protect-custom-ca.der -CAkey protect-custom-ca.key -CAform DER -out protect-agent.crt -days 1825 -sha256 -extfile protect.ext
openssl pkcs12 -export -out protect-agent.pfx -inkey protect-agent.key -in protect-agent.crt -passout pass:password