[updates and upgrades with ERA]

I'm confused about how virus signature and software updates are accomplished if using ERA.

Old versions of ESET security product just poll update servers in a timely manner. How are updates accomplished if using era? If security software still request update server every 2 hour or so? Or does it communicate its status to ERA server via agent and if and only if ERA server told it to update it does so? If the last one is true, does it mean that if my ERA has no trigger for outdated software or virus signatures not a single workstation will update?

 

TIA

[Custom PKI and ERA]

>ERA documentation was recently extended with topic Custom certificates with ERA which provides steps how to use externally created certificates in ERA - it targets mostly certificate services provides by Microsoft, but maybe it will be helpful for you.

Thanks for the link, but it is similar to the link from my post, the only difference being the fact that mine is for installation, yours is for administration. Even though it is targeted to windows platform it was indeed useful for me.

 

>Regarding importing of certificates - as you have found out already, importing private keys is not possible

Are there any possibilities of implementing this?

 

>you should be able to use external certificates in configuration policies

Thanks for pointing this out. Somehow I was missing this information. Having the ability to upload custom certificate via policies does solve difficulties with my 1 approach.

 

BTW, having the ability to import peer certificates with private keys allows for server-assisted installation as well as creation of packages with needed certificates in them. As I have already mentioned, sadly it is not possible to import peer certificates at the moment. 

 

>internal certificate management in ERA is not able to handle non-standard scenarios (as possible bug with SubCA you mentioned)

Again, are there any possibilities of improving this? If this is improved, there would be the possibility for anyone who wants to delegate SubCA to ERA to do so, though in a kind of cheaty way, but still doable.

 

I'm also very concerned about socket path specifying.

 

Thanks.

[ERA v6 Certificates with own Certificate Authority]

For anyone interested, I've opened another topic with my findings on this.

[Custom PKI and ERA]

Hi there.

Trying to install ERA in Linux with custom PKI.

I have read this topic already, but sadly it has no staff answers.

I see two options here:

1. I totally manage PKI and import generated certificates into ERA. Looks like in this case (according to this kb article) it is suggested to run server installer in repair mode replacing existing certificates. If certificates are manged by ERA however it is as simple as selecting another certificate in web console. So why can't I just import needed certificate via web console (it has no such option of importing peer certificates atm) and apply it? Is there any bugtracker for ERA where I can report this? Is it possible to implement this?

2. I create a SubCA and thus delegate certificate management to ERA. I have tried this also. But I cannot import SubCA certificate (and its key ofcourse) neither via installer, nor via web console. Is it possible to implement this? Though I could easily import SubCA via sql queries, still this gave no satisfactory result. Problem is that in this case ERA is very happy with provided SubCA certificate, but for some reason it tries to sign peer certificates using issuer's credentials instead of subject ones. This results in these certificates being signed by SubCA but having all the fields from TopCA, which is really weird and as a result they are all invalid. Is it possible to correct this behaviour? On the other hand I have created dummy self-signed CA, which I've put into ERA. This time ERA successfully created valid certificates with valid issuer field. So this is a problem only when issuer and subject are different. Fix this please.

 

There is also one more thing.

Is it possible to implement "--odbc-socket" (or call it whatever you like) option in server setup script, which would allow passing the needed socket path for ODBC driver as well as saving it to StartupConfiguration.ini?

 

TIA

 

EDIT: sorry, bad wording. In fact it is possible to upload new server certificate via web console, but it is not possible to import any other peer certificate via web console for later distibution via policies for example.