[KB6021] “Peer certificate is expiring soon” error in ESET Remote Administrator (6.x)

0
(0)

Issue

ESET business product no longer supported

This article applies to an ESET product version that is currently in End of Life status and is no longer supported. The content in this article is no longer updated.

For a complete list of supported products and support level definitions, review the ESET End of Life policy for business products.

Upgrade ESET business products.

  • “Peer certificate is expiring soon” or “Peer certificate is invalid” message in ERA Web Console
  • Endpoints stop checking in to ESET Remote Administrator

Figure 1-1
Click the image to view larger in new window

Details

As part of the installation process, ESET Remote Administrator requires that you create a peer Certificate Authority and a peer certificate for Agents. These certificates are used to authenticate products distributed under your license.

What happens when the Agent certificate expires?

There will be no notification from the Agent, but you will see warnings in the ERA Web Console for 30 days prior to expiration. Once expired, the Agent will still attempt to connect and client computers will not be removed automatically, but they will stop connecting and the server task Delete not connecting computers will eventually remove them if configured to do so.

Solution

See the following article if you do not know how to create a new peer certificate or Certification Authority:

ERA 6.5 User Permissions

This article assumes that your ERA user has the correct access rights and permissions to perform the tasks below.

If you are still using the default Administrator user, or you are unable to perform the tasks below (the option is grayed out), see the following article to create a second administrator user with all access rights (you only need to do this once):
View permissions needed for least privilege user access

A user must have the following permissions for the group that contains the modified object:

Functionality Read Use Write
Certificates

Once these permissions are in place, follow the steps below.

NOTE:

Peer certificates and Certification Authority created during the installation are by default contained in the static group All.

Scenario 1: Agent Certificate is expiring soon

Agents are connecting to ERA Server. Make sure that Agent certificate will not expire sooner than its expiration date.

  1. Create a new Agent peer certificate.
  2. Create and apply a new ESET Remote Administrator Agent policy and distribute the newly created Agent peer certificate.

Do not delete the old certificate until the new certificate is applied on all Agents.

Scenario 2: Agent Certificate is invalid (expired)

If Agents cannot connect to ERA Server, redeploy the ERA Agent on all machines that use the expired Agent certificate.

  1. Create a new Agent peer certificate:
    • After successfully creating the Agent certificate, it will be available in the Certificates list (Admin → Certificates → Peer Certificates) to use when installing the Agent.
  2. Redeploy the Agent with the new Agent peer certificate.

Scenario 3: Server Certificate is expiring soon

If the Certification Authority is expired too, proceed with the Scenario 5 instead of this scenario.

  1. Create a new Server certificate (select Server from the Product drop-down menu).
  2. Select your new ERA Server certificate.

Scenario 4: Server Certificate is invalid (expired)

Agents cannot connect to ERA Server because the Server certificate is expired. After setting up a new Server certificate, Agents with a valid certificate will be able to connect to ERA Server.

If the Certification Authority is expired too, proceed with the Scenario 6 instead of this scenario.

  1. Create a new Server certificate (select Server from the Product drop-down menu).
  2. Select your new ERA Server certificate.

Scenario 5: Certification Authority is expiring soon

Agents are connecting to ERA Server, however, after creating a new certification authority (CA), all certificates you use must be replaced: Server, Agent, MDM, Proxy, Virtual Agent Host.

  1. Create a new CA and be sure to use a new Common Name different from the expired CA.
  2. Create a new Server certificate (select Server from the Product drop-down menu) and sign it with the newly created CA.
  3. Create new certificates for other product components as needed (Agent, MDM, Proxy, Virtual Agent Host).
  4. Create and apply a new ESET Remote Administrator Agent policy and distribute the newly created Agent peer certificate.
  5. Apply other peer certificates using policies.
  6. Wait for replication of the new certificate and certification authority to all Agents.
  7. Wait for replication of the new certificate and certification authority to all other product components (if used).
  8. Select your new ERA Server certificate.

Do not delete the expiring CA until new certificates are applied on all components.

Scenario 6: Certification Authority is invalid (expired)

Agents cannot connect to ERA Server. Create a new certification authority (CA). All certificates you use must be replaced: Server, Agent, MDM, Proxy, Virtual Agent Host.

  1. Create a new CA and be sure to use a new Common Name different from the expired CA.
  1. Create a new Server certificate (select Server from the Product drop-down menu) and sign it with the newly created CA.
  1. Create new certificates for other product components as needed (Agent, MDM, Proxy, Virtual Agent Host).
  2. Redeploy the Agent with the new Agent peer certificate.
  3. If you use other ERA components, such as ERA Proxy, repair the ERA Proxy installation and use the newly created certificate.
  4. Select your new ERA Server certificate.

Troubleshooting logs

When a client computer does not appear to be connecting to your ERA Server, we recommend that you perform ERA Agent troubleshooting locally on the client machine. See the following ESET Online Help topic for more information.

Languages
Last Updated: Jan 4, 2021
Source : Official ESET Brand
Editor by : BEST Antivirus KBS Team

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

(Visited 59 times, 1 visits today)
Tagged: