[KB8566] "Peer certificate is going to expire" error in ESET PROTECT On-Prem

Issue

Required user permissions

This article assumes that you have the appropriate access rights and permissions to perform the tasks below.

If you are unable to perform the tasks below (the option is unavailable), create a second administrator user in ESET PROTECT or ESET PROTECT On-Prem with all access rights.

  • Endpoints stop checking in to ESET PROTECT On-Prem
  • “Peer certificate is going to expire” or “Peer certificate is invalid” message in ESET PROTECT On-Prem

Details

Click to expand

As part of the installation process, ESET PROTECT On-Prem requires that you create a Certification Authority and Peer Certificate for Agents. These certificates are used to authenticate applications distributed under your subscription.

If the Agent certificate expires, the agent will not notify you, but you will see warnings in ESET PROTECT On-Prem for 30 days before expiration. After expiration, the Agent will still attempt to connect, and client computers will not be removed automatically. However, they will stop connecting, and the server task "Delete not connecting computers" will eventually remove them if configured to do so.

See the Online Help topic Expiring Certificate—reporting and replacement for more information.

Solution

See how to create a new Certification Authority and Peer Certificate in ESET PROTECT On-Prem.

Certificates are contained in the static group All

Peer Certificates and a Certification Authority created during installation are, by default, contained in the static group labeled All.

Scenario 1: The Agent certificate is expiring soon

When the Agents are connecting to the ESET PROTECT Server, ensure that a new Agent Peer Certificate is created before the original one expires.

Do not delete the old certificate

Apply the new certificate to all the Agents, then delete the old certificate.

  1. Create a new Certification Authority and Peer Certificate in ESET PROTECT On-Prem.

  2. Create and apply a new ESET Management Agent policy and distribute the newly created Agent Peer Certificate.

Scenario 2: The Agent certificate is invalid (expired)

If the Agents cannot connect to the ESET PROTECT Server, redeploy the ESET Management Agent on all the endpoints that use the expired Agent certificate.

  1. Create a new Certification Authority and Peer Certificate in ESET PROTECT On-Prem.

  2. Deploy the ESET Management Agent using ESET PROTECT or ESET PROTECT On-Prem.

Scenario 3: The Server certificate is expiring soon

The Certification Authority is also expired

If the Certification Authority is expired too, proceed with the Scenario 5 instead of this scenario.

  1. Create a new Server certificate. Select Server from the Component drop-down menu.

  2. Set your new ESET PROTECT Server certificate.

Scenario 4: The Server certificate is invalid (expired)

The Certification Authority is also expired

If the Certification Authority is expired too, proceed with Scenario 6 instead of this scenario.

The Agents cannot connect to the ESET PROTECT Server because the Server certificate is expired. After setting up a new Server certificate, Agents with a valid certificate will be able to connect to the ESET PROTECT Server.

  1. Create a new Server certificate. Select Server from the Component drop-down menu.

  2. Set your new ESET PROTECT Server certificate.

Scenario 5: The Certification Authority is expiring soon

The Agents are connecting to the ESET PROTECT Server, but after a new Certification Authority is created, all certificates you use must be replaced: Server, Agent, and Virtual Agent Host.

Do not delete the expiring Certification Authority

Apply the new certificates to all the components, then delete the expiring Certification Authority.

  1. Create a new Certification Authority and use a new Common name that differs from the expired Certification Authority's Common name.

  2. Create a new Server certificate. Select Server from the Component drop-down menu and sign it with the newly created Certification Authority.

  3. Create new certificates for other application components as needed (Agent and Virtual Agent Host).

  4. Create and apply a new ESET Management Agent policy and distribute the newly created Agent Peer Certificate.

  5. Apply other Peer Certificates using policies.

  6. Wait for replication of the new certificate and Certification Authority to all Agents.

  7. Wait for replication of the new certificate and Certification Authority to all other application components.

  8. Set your new ESET PROTECT Server certificate.

Scenario 6: The Certification Authority is invalid (expired)

The Agents cannot connect to the ESET PROTECT Server. Create a new Certification Authority. All certificates you use must be replaced: Server, Agent, and Virtual Agent Host.

  1. Create a new Certification Authority and use a new Common name that differs from the expired Certification Authority's Common name.

  2. Create a new Server certificate. Select Server from the Component drop-down menu and sign it with the newly created Certification Authority.

  3. Create new certificates for other application components as needed (Agent and Virtual Agent Host).

  4. Deploy the ESET Management Agent using ESET PROTECT or ESET PROTECT On-Prem.

  5. Set your new ESET PROTECT Server certificate.

Troubleshooting logs

When a client computer does not appear to be connecting to your ESET PROTECT Server, we recommend that you perform ESET Management Agent troubleshooting locally on the client endpoint. See the Online Help topic Troubleshooting—Agent connection for more information.

Last Updated: Feb 2, 2026

Additional resources

User guides

ESET Forum

YouTube videos
ESET Support News ESET Customer Advisories ESET Status Portal ESET Technical Support

Existing customer?