Most Valued Members ewong 8 Posted December 7, 2019 Most Valued Members Share Posted December 7, 2019 Hi, Thanks to a recent pebcak fubar, the certificates are all messed up and instead of wasting time trying to find out the right one, I'm hoping to re-do the whole certificate setup; but, is there an easier way of reseting all agents' or do I actually need to uninstall all ESET products from all systems and deploy them again (I'd like to avoid this...)? Thanks Edmund Link to comment Share on other sites More sharing options...
Most Valued Members ewong 8 Posted December 7, 2019 Author Most Valued Members Share Posted December 7, 2019 As an addendum, apparently I can't (or haven't found the way to ) import the peer certificates as there's no option to import them back after a backup. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,399 Posted December 7, 2019 Administrators Share Posted December 7, 2019 It's not necessary to uninstall agent and re-deploy it again using correct certificates. It's enough to create Live Agent installer to ensure that current certificates are used and run it on clients. Or you can run the agent installer and manually configure certificates during repair. Link to comment Share on other sites More sharing options...
ESET Staff MartinK 384 Posted December 9, 2019 ESET Staff Share Posted December 9, 2019 Not sure I understand, but from description it is not clear to me whether AGENTs are currently connection of due to wrong certificates they stopped to do so. If they are connecting, changing certificates is possible via configuration policies. Indeed it is not possible to import peer certificates, which means console will be able to manage only certificates generated in ESMC. Regardless of that, all relevant wizards enables you to use certificate from file if required, so you can still use backup-ed certificates almost anywhere, including configuration policies, ESMC configuration and installers. Link to comment Share on other sites More sharing options...
Most Valued Members ewong 8 Posted December 11, 2019 Author Most Valued Members Share Posted December 11, 2019 On 12/10/2019 at 2:57 AM, MartinK said: Not sure I understand, but from description it is not clear to me whether AGENTs are currently connection of due to wrong certificates they stopped to do so. If they are connecting, changing certificates is possible via configuration policies. Indeed it is not possible to import peer certificates, which means console will be able to manage only certificates generated in ESMC. Regardless of that, all relevant wizards enables you to use certificate from file if required, so you can still use backup-ed certificates almost anywhere, including configuration policies, ESMC configuration and installers. To be honest, I'm a bit confused (if not a tad bit lost) in this matter. It's certainly a PEBCAK issue as it seems as if this happens every time I upgrade the ESMC and while I've always followed the upgrade documentation, I've always seemed to find a way to screw things up. Edmund Link to comment Share on other sites More sharing options...
Administrators Marcos 5,399 Posted December 11, 2019 Administrators Share Posted December 11, 2019 Certificates are stored in the ESMC database. Did you upgrade the server by sending an ESMC component upgrade task to it? Link to comment Share on other sites More sharing options...
Most Valued Members ewong 8 Posted December 11, 2019 Author Most Valued Members Share Posted December 11, 2019 Yes, I used the ESMC component upgrade task. Anyway, I've removed all systems from the list of computers, and managed to have a few systems update their GPO and thusly get the agent re-installed/setup on these systems; however, there are some which I haven't done that (mainly due to them being in use). That said, is there a way (now or in the future) that I can run on the ESMC webconsole, such that all systems still in the lost+found will have their agent's info overwritten by the new certificates. (As in, having just manually added the missing systems, is it possible to get their agents to drop whatever certificate they use and use the new one?) Sorry if I'm not explaining myself well. What I've done is created a new policy that contains the new certificates, and then assigned the policy to the lost & found group. Is this sufficient to get the systems to reset themselves? Thanks Edmund Link to comment Share on other sites More sharing options...
ESET Staff MartinK 384 Posted December 11, 2019 ESET Staff Share Posted December 11, 2019 2 hours ago, ewong said: What I've done is created a new policy that contains the new certificates, and then assigned the policy to the lost & found group. Is this sufficient to get the systems to reset themselves? Yes, it is proper way how to change certificate on clients. Just be aware that this would work only for actively connecting clients and that is why I asked whether you need to change it on active clients or on "dead"ones. Once policy is applied, certificate is immediately replaced and there is no way back so just be careful of which certificate is chosen. Link to comment Share on other sites More sharing options...
Most Valued Members ewong 8 Posted December 14, 2019 Author Most Valued Members Share Posted December 14, 2019 On 12/11/2019 at 6:42 PM, MartinK said: Yes, it is proper way how to change certificate on clients. Just be aware that this would work only for actively connecting clients and that is why I asked whether you need to change it on active clients or on "dead"ones. Once policy is applied, certificate is immediately replaced and there is no way back so just be careful of which certificate is chosen. It's kinda funny how easy I can dig myself into jams. I had just replaced an Agent certificate (thinking that I can fix it if it goes up the creek); but once I deleted the old one, the agents obviously complained. I had created a new policy just for this purpose and applied it to the set of complaining agents. What I'm curious is how long does it take for the agent to connect to the server and update its certificate? Thanks Edmund Link to comment Share on other sites More sharing options...
Administrators Marcos 5,399 Posted December 14, 2019 Administrators Share Posted December 14, 2019 Agent connects to the ESMC server in 1-min. intervals by default (https://help.eset.com/esmc_install/70/en-US/client_connection_interval.html) assuming that a secure connection can be established, ie. agent has a valid peer agent certificate and CA certificate. Otherwise you'll need to re-deploy agent and install correct certificates during installation, or generate a new Agent live installer on the ESMC server so that it includes current certificates. Link to comment Share on other sites More sharing options...
Most Valued Members ewong 8 Posted December 16, 2019 Author Most Valued Members Share Posted December 16, 2019 Hi Marcos, Thanks for the info. In the end, I ended up repairing the installation with a new set of certificates, exported the agent and CA certs and am currently repairing all the other clients manually. I am, however, wondering if a GPO can be used instead? I.e. Is it possible to do a repair via GPO? Thanks Edmund Link to comment Share on other sites More sharing options...
ESET Staff MartinK 384 Posted December 16, 2019 ESET Staff Share Posted December 16, 2019 18 hours ago, ewong said: Is it possible to do a repair via GPO? Not tested, but should work as GPO-style configuration is used internally for all other installer types on Windows. Link to comment Share on other sites More sharing options...
Recommended Posts