[KB6804] Create a new custom certificate or certification authority for ESET Security Management Center (7.x)

0
(0)

Issue

ESET business product in Limited Support status

This article applies to an ESET product version that is currently in Limited Support status and is scheduled to reach End of Life status soon.

For a complete list of supported products and support level definitions, review the ESET End of Life Policy for business products.

Upgrade ESET business products.

  • Create custom certificates or Certification Authorities (CAs) for ESET Security Management Center (ESMC)

Solution

Prerequisites

  • You need to have OpenSSL version 1.1.1g (for Windows) installed. The OpenSSL application allows you to create signed certificates.

Solution

  1. Generate  the .key file and cert for CA. Run the following code in the Command Prompt. You can substitute the esmc-custom-ca.key and esmc-custom-ca.der file name with your custom name.
openssl genrsa -out emsc-custom-ca.key 2048
openssl req -x509 -new -nodes -key emsc-custom-ca.key -sha256 -days 3650 -out emsc-custom-ca.der -outform der -subj "/CN=ESMC Custom CA"
  1.  Create the ESMC certificate extensions’ file.
echo authorityKeyIdentifier=keyid,issuer >esmc.ext
echo basicConstraints=CA:FALSE >>esmc.ext
echo keyUsage=digitalSignature,keyEncipherment,dataEncipherment >>esmc.ext
echo subjectAltName=DNS:* >>esmc.ext
keyUsage and subjectAltName values

Make sure that you use the values provided in the example above:
– keyUsage=digitalSignature,keyEncipherment,dataEncipherment
– Subject Alternative Name (SAN) should be defined as DNS:* for ESMC Server and for all Agents: subjectAltName=DNS:*

  1. Generate key and cert for ESMC Server and export to .pfx file. Replace the password with a proper password.
openssl genrsa -out esmc-server.key 2048
openssl req -new -key esmc-server.key -subj "/CN=ESMC Server" | openssl x509 -req -CA emsc-custom-ca.der -CAkey emsc-custom-ca.key -CAform DER -out esmc-server.crt -days 1825 -sha256 -extfile esmc.ext
openssl pkcs12 -export -out esmc-server.pfx -inkey esmc-server.key -in esmc-server.crt -passout pass:password
Common Name (CN) string

The Common Name (CN) must contain one of these strings: “server“or “agent“, depending on which Certificate Request you want to create.

  1. Generate key and cert for ESMC Agent and export to .pfx file. Replace the password with a proper password.
openssl genrsa -out esmc-agent.key 2048
openssl req -new -key esmc-agent.key -subj "/CN=ESMC Agent" | openssl x509 -req -CA emsc-custom-ca.der -CAkey emsc-custom-ca.key -CAform DER -out esmc-agent.crt -days 1825 -sha256 -extfile esmc.ext
openssl pkcs12 -export -out esmc-agent.pfx -inkey esmc-agent.key -in esmc-agent.crt -passout pass:password
Languages

Please contact your local support agent if you would like us to translate this article.

Last Updated: Jul 21, 2021

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

(Visited 26 times, 1 visits today)
Tagged: