replacing all certificates

[ewong 8]

Hi,

Thanks to a recent pebcak fubar, the certificates are all messed up and instead of wasting time trying to find out the right one, I'm hoping to re-do the whole certificate setup; but, is there an easier way of reseting all agents'  or do I actually need to uninstall all ESET products from all systems and deploy them again (I'd like to avoid this...)?

Thanks

Edmund

[ewong 8]

As an addendum, apparently I can't (or haven't found the way to ) import the peer certificates as there's no option to import them back after a backup.

 

[Marcos 5,074]

It's not necessary to uninstall agent and re-deploy it again using correct certificates. It's enough to create Live Agent installer to ensure that current certificates are used and run it on clients. Or you can run the agent installer and manually configure certificates during repair.

[MartinK 378]

Not sure I understand, but from description it is not clear to me whether AGENTs are currently connection of due to wrong certificates they stopped to do so. If they are connecting, changing certificates is possible via configuration policies.

Indeed it is not possible to import peer certificates, which means console will be able to manage only certificates generated in ESMC. Regardless of that, all relevant wizards enables you to use certificate from file if required, so you can still use backup-ed certificates almost anywhere, including configuration policies, ESMC configuration and installers.

[ewong 8]

On 12/10/2019 at 2:57 AM, MartinK said:

Not sure I understand, but from description it is not clear to me whether AGENTs are currently connection of due to wrong certificates they stopped to do so. If they are connecting, changing certificates is possible via configuration policies.

Indeed it is not possible to import peer certificates, which means console will be able to manage only certificates generated in ESMC. Regardless of that, all relevant wizards enables you to use certificate from file if required, so you can still use backup-ed certificates almost anywhere, including configuration policies, ESMC configuration and installers.

To be honest, I'm a bit confused (if not a tad bit lost) in this matter.  It's certainly a PEBCAK issue as it seems as if this happens every time I upgrade the ESMC and while I've always followed the upgrade documentation, I've always seemed to find a way to screw things up. 

Edmund

[Marcos 5,074]

Certificates are stored in the ESMC database. Did you upgrade the server by sending an ESMC component upgrade task to it?

[ewong 8]

Yes, I used the ESMC component upgrade task.

Anyway, I've removed all systems from the list of computers, and managed to have a few systems update their GPO and thusly get the agent re-installed/setup on these systems; however,  there are some which I haven't done that (mainly due to them being in use).   That said, is there a way (now or in the future) that I can run on the ESMC webconsole, such that all systems still in the lost+found will have their agent's info overwritten by the new certificates.   (As in, having just manually added the missing systems, is it possible to get their agents to drop whatever certificate they use and use the new one?)  Sorry if I'm not explaining myself well.   What I've done is created a new policy that contains the new certificates, and then assigned the policy to the lost & found group.  Is this sufficient to get the systems to reset themselves?

Thanks

Edmund

 

[MartinK 378]

2 hours ago, ewong said:

What I've done is created a new policy that contains the new certificates, and then assigned the policy to the lost & found group.  Is this sufficient to get the systems to reset themselves?

Yes, it is proper way how to change certificate on clients. Just be aware that this would work only for actively connecting clients and that is why I asked whether you need to change it on active clients or on "dead"ones.

Once policy is applied, certificate is immediately replaced and there is no way back so just be careful of which certificate is chosen.

[ewong 8]

On 12/11/2019 at 6:42 PM, MartinK said:

Yes, it is proper way how to change certificate on clients. Just be aware that this would work only for actively connecting clients and that is why I asked whether you need to change it on active clients or on "dead"ones.

Once policy is applied, certificate is immediately replaced and there is no way back so just be careful of which certificate is chosen.

It's kinda funny how easy I can dig myself into jams.  I had just replaced an Agent certificate (thinking that I can fix it if it goes up the creek); but once I deleted the old one, the agents obviously complained.   I had created a new policy just for this purpose and applied it to the set of complaining agents. 

What I'm curious is how long does it take for the agent to connect to the server and update its certificate?

Thanks

Edmund

[Marcos 5,074]

Agent connects to the ESMC server in 1-min. intervals by default (https://help.eset.com/esmc_install/70/en-US/client_connection_interval.html) assuming that a secure connection can be established, ie. agent has a valid peer agent certificate and CA certificate. Otherwise you'll need to re-deploy agent and install correct certificates during installation, or generate a new Agent live installer on the ESMC server so that it includes current certificates.

[ewong 8]

Hi Marcos,

Thanks for the info.  In the end, I ended up repairing the installation with a new set of certificates, exported the agent and CA certs and am currently repairing all the other clients manually.   I am, however, wondering if a GPO can be used instead?  I.e.  Is it possible to do a repair via GPO?

Thanks

Edmund

[MartinK 378]

18 hours ago, ewong said:

Is it possible to do a repair via GPO?

Not tested, but should work as GPO-style configuration is used internally for all other installer types on Windows.