[KB8515] Enable the OpenSSL 3.x support for ESET PROTECT On-Prem

Issue

• Enable OpenSSL 3.x support for ESET PROTECT On-Prem in Linux
• Certificate error for agents using older OSs
• Upgrade OpenSSL 1.1.1 to OpenSSL 3.0

Solution

Certificate error for agents using older OSs

After OpenSSL 3.0, the ESET PROTECT Server and ESET PROTECT On-Prem have been installed; there is a certificate error while attempting to install and connect agents using an older OS, for example, Windows 8.1 or earlier. 

1. Disable Advanced security in the server settings and restart the server service.
   
   
2. Generate a new Certificate Authority (CA). Generate a new peer certificate signed with the new CA.
   
   
3. Enable Advanced security.
   
   
4. Select the new certificate when generating installers or deploying agents using the agent deployment task.
   

   Client machines on newer Operating Systems

   Do not use the Certificate Authority or peer certificates created when Advanced security was disabled on client machines using newer Operating Systems, for example, Windows 10 and later, as security may be compromised.

5. Create a new agent policy to distribute the new certificates to clients on an older OS.

Upgrade OpenSSL 1.1.1 to OpenSSL 3.0 

Existing ESET PROTECT On-Prem environments that use OpenSSL 1.1.1 can upgrade to OpenSSL 3.0.

1. Install OpenSSL 3.0 on the server.
   
   
2. Rerun the server installation command to link to the OpenSSL 3 libraries.
   
   
3. Generate a new Certificate Authority (CA). Generate a new peer certificate signed with the new CA. The new certificates will facilitate the OpenSSL 3.0 algorithms.
   
   
4. Create a new agent policy to distribute the new certificates to eligible clients. The original certificates are still available and can connect older devices that do not recognize the new CA.