Jump to content

CA Problem after migration from OLD to NEW server


Recommended Posts

Hi,

I need your advices... I've migrated our ERA server to a new one. I followed this procedure (hxxp://help.eset.com/era_install/64/en-US/index.html?migrated_database_different_ip.htm) but now,

My Peer CA are in Status "no". and i don't know why but i got double certificates...

PCs/SRVs are connecting to the new one.

ESET Remote Administrator (Server), Version 6.5 (6.5.522.0)
ESET Remote Administrator (Web Console), Version 6.5 (6.5.388.0)
 
Thank you

2017-03-22_180434.jpg

Link to post
Share on other sites
  • Administrators

Did you export the CA certificate from the former server? ( Export all Certification Authority Certificates from your ERA Server and save each CA certificate as a .der file.)

Did you import it on the new one? (  Import all CAs exported from your old ERA Server. To do so, follow the instructions for importing a public key. )

Link to post
Share on other sites
  • Former ESET Employees

Hi Jarno,

could you provide screenshot from ERA Web Console: Navigate to Admin->Certificates->Certification Authorities ? 

# of signed active peer certificates - values in this table column are important (See screenshot)

2.png

Link to post
Share on other sites
  • Former ESET Employees

and have you changed ERA Server certificate in Server Settings to use previous Server certificate from your old ERA Server?

Link to post
Share on other sites
  • ESET Staff

Hello, Just to verify. 
Your issue is that the certificates are present twice and the column "CA is present" is under status "no" ? 
Or is there an issue with Agent connection due to the certificate duplicity? (you can see that in "status.html" on client device)
 

Edited by Oliver
Link to post
Share on other sites
  • ESET Staff

Ok.
So that is just a "visual bug" and everything else is working correctly. 
But if you want to "fix" it, there is a way.
You can create a new ERA CA ->  Generate(create) a new set of certificates and sign them with this NEW ERA CA and than , replace all those "old" certificates with those shiny new ones ( use these new signed certificates in respective policy and use the "force" option and assign this policy to all required devices). 
After you verify that the CA and certificates are working correctly and every device is using the new certificate-> you can  revoke all other (not-so-shiny) certificates and CA. 

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...