Issue
- Requirements for the creation of ESET Inspect Server certificates in ESET PROTECT On-Prem
- Import the ESET Inspect Server certificate from a file during the ESET Inspect Server installation
Details
Click to expand
An Inspect Server certificate is required for a successful installation of the ESET Inspect Server. During the installation, you are prompted to use one. You can either import the certificate from a file or use one from ESET PROTECT On-Prem.
After you set up the ESET Inspect Server certificate, continue to configure the certificate for the HTTPS/SSL connection between the ESET Inspect Web Console and the web browser. You can choose one of the following options:
- Get the ESET Inspect Web Console certificate from ESET PROTECT On-Prem
- Import the ESET Inspect Web Console certificate from a file
- Use the ESET Inspect Server certificate (the certificate you selected in the previous installation step)
Solution
Requirements for the creation of ESET Inspect Server certificates in ESET PROTECT On-Prem
By default, when you create a Peer Certificate in ESET PROTECT On-Prem, the Host field is set to *, which makes the certificate’s Common Name (CN) and Subject Alternative Name (SAN) equal to a single asterisk. ESET Inspect does not support certificates where the Common Name (CN) or Subject Alternative Name (SAN) is just *. Instead, you must use the actual hostname or IP address of the ESET Inspect Server in the Host field.
Format
- Certificates must be in the PKCS #12 format. PKCS #12 is a file format for storing multiple cryptographic objects in a single file, such as certificates. Files in the PKCS #12 format usually have the
.pfxor.p12extension. - Certification Authorities are stored in the X.509 format (that is, in files with the
.derextension), which is another file format frequently used in cryptography.
Common Name (CN) and Subject Alternative Name (SAN) rules
These rules apply to the Common Name (CN) in the main certificate, the Subject Alternative Name (SAN) entries, and the Common Name (CN) and Subject Alternative Name (SAN) in any additional certificates included in the PKCS #12 file.
- Common Name (CN) and Subject Alternative Name (SAN) must include a real hostname or IP address
- Not allowed:
*(just a single asterisk) - Allowed:
*.yourcompany.comoryourcompany.*.hq.com
(Wildcards are allowed only as part of a domain name, not as the entire hostname.)
Mandatory parameters for creating a Peer Certificate
- Component: ESET Inspect Server
- Host: real IP Address of the ESET Inspect Server
To allow connections from other networks, add multiple IP addresses or hostnames separated by a space, comma, or semicolon. Example:192.168.20.22;10.1.183.88 - No semicolons (
;) in file or folder names for certificate paths (semicolons are used as separators for multiple certificates)
Import the ESET Inspect Server certificate from a file during the ESET Inspect Server installation
-
On the first Server certificate screen in the ESET Inspect Server installer, select Import the certificate from a file and click Next.
Figure 1-1 -
In the Server certificate field, define the path to the file with the ESET Inspect Server Certificate (
.pfxfile): type or paste the path to the file or click Change to navigate to the file location and select the file manually. If required, in the Certificate password field, type the certificate password.
Figure 1-2 -
In the Certification Authority field, define the path to the file with the certification authority (
.derfile): type or paste the path to the file or click Change to navigate to the file location and select the file manually. Click Next.
Figure 1-3
