[KB3617] Create a new certificate or certification authority in ESET Remote Administrator (6.x)

Issue

ESET business product no longer supported

This content applies to an ESET product version that is currently in End of Life status and is no longer supported. This content is no longer updated.

For a complete list of supported products and support level definitions, review the ESET End of Life policy for business products.

Upgrade ESET business products.

Certificates are used to authenticate products distributed under your license and identify computers on your network to help ensure secure communication between your ERA Server and clients

Details

Your Certification Authority (CA) is used to legitimize certificates distributed from your network. In an enterprise setting, a public key can be used to automatically associate client software with the ERA Server during the remote installation of ESET products.

In some cases, you might want to create a new certificate to set specific parameters for a certain group of client computers, for example, create a limited-duration certificate for a group of computers that will only be in use for a limited time.

Solution

View permissions needed for least privilege user access

ERA 6.5 User Permissions

This article assumes that your ERA user has the correct access rights and permissions to perform the tasks below.

If you are still using the default Administrator user, or you are unable to perform the tasks below (the option is grayed out), see the following article to create a second administrator user with all access rights (you only need to do this once):

Create a second administrator user in ESET Remote Administrator 6.5

A user must have the following permissions for the group that contains the modified object:

*Functionality*	*Read*	*Use*	*Write*
Certificates	✓	✓	✓

Once these permissions are in place, follow the steps below.

Default certificates

Peer certificates and Certification Authority created during the installation are by default contained in the static group All.

Create a new Peer Certificate in ERA Web Console

Open ESET Remote Administrator Web Console (ERA Web Console) in your web browser and log in.
Click Admin → Certificates → New → Certificate.

Figure 1-1
Click the image to view larger in new window

Expand the Basic section to display the following basic settings for the certificate:

Product: Select the type of certificate you want to create from the drop-down menu.
Host: Leave the default value (an asterisk) in the Host field to allow for distribution of this certificate with no association to a specific DNS name or IP address.
Passphrase: We recommend that you leave this field blank, but if desired you can set a passphrase for the certificate that will be required when clients attempt to activate.

Unsupported characters in Agent Certificate

The certificate passphrase must not contain following characters: " These characters cause critical error during the initialization of the Agent.

Attributes: These fields are not mandatory, but you can use them to include more detailed information about this certificate.

Figure 1-2
Click the image to view larger in new window

Expand the Sign section and click <Select Certification Authority>. Select the CA that you want to use and then click OK.

"Failed to create certificate: Creating and signing peer certificate failed. Check input parameters for invalid or reserved characters, check certification authority pfx/pkcs12 signing certificate and corresponding password"

When you are creating a new certificate in ERA Virtual Appliance, you must type the Certification Authority Passphrase in the field. It is the same password you have specified during ERA VA configuration.
Expand the Summary section to view details about the certificate and then click Finish to create a new one. Your new peer certificate will be displayed in the list of peer certificates.

Create a new Certification Authority in ERA Web Console

Click Admin → Certificates → Certification Authorities → New.

You can set the following basic settings for the Certification Authority:

Description: Enter description for the Certification Authority.
Passphrase & Confirm Passphrase: You can set a passphrase for your CA according to your preference, but it is not required.
Attributes: The Common Name field is mandatory, and will be used to refer to this CA in the future.
CA Validity: Set the CA validity dates using the Valid From and Valid To fields.

Figure 2-1
Click the image to view larger in new window

macOS does not support certificates with validity ending after year 2037

Certificates with a Valid To date of 2037 or later are not supported. It is not possible to parse a date variable from the Certification Authority on macOS. The Agent cannot connect, because macOS is unable to accept the Certification Authority.

Click Save to save your new CA. It will be listed in the Certification Authority list under Admin → Certificates → Certification Authorities, and will be ready for use.

Última atualizaçăo: 30 de set. de 2022