vanroy 0 Posted April 29, 2020 Share Posted April 29, 2020 Hello, For resolve this only can create new certificate authority with date for example 2030? Certificates with validity ending after year 2037 are not supported on Mac OS X. It is not possible to parse a date variable from the Certificate Authority on Mac OS X. The Agent cannot connect, because OS X cannot accept the Certificate Authority. Link to comment Share on other sites More sharing options...
ESET Staff MartinK 383 Posted April 29, 2020 ESET Staff Share Posted April 29, 2020 Yes, just ensure that both CA certificate and peer certificate are not extending validity beyond 2037. Link to comment Share on other sites More sharing options...
vanroy 0 Posted April 29, 2020 Author Share Posted April 29, 2020 In the case of peer certificate only agent certificate is necesary? or also server certificate with date 2030 is necessary ? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,242 Posted April 29, 2020 Administrators Share Posted April 29, 2020 No, the CA certificate must not be valid beyond 2037 either: https://support.eset.com/en/kb6737-create-a-new-certificate-or-certification-authority-in-eset-security-management-center-7x Certificates with a Valid To date of 2037 or later are not supported. It is not possible to parse a date variable from the Certification Authority on macOS. The Agent cannot connect, because macOS is unable to accept the Certification Authority. Link to comment Share on other sites More sharing options...
vanroy 0 Posted April 29, 2020 Author Share Posted April 29, 2020 I generated a new CA certificate and peer certificate agent with date 2030, but no work, the agent for mac is not comunicate on the console ESMC. The question is, Is necessary create a new peer server certificate with date example 2030? I THINK will affects my windows agents communications Link to comment Share on other sites More sharing options...
Administrators Marcos 5,242 Posted April 30, 2020 Administrators Share Posted April 30, 2020 Yes, you should create a new CA certificate with the "valid to" date not beyond 2036. As long as both CA certificates exist, you can generate a different peer certificate for use on Mac and use the existing peer certificate for already installed agents on Windows. Link to comment Share on other sites More sharing options...
vanroy 0 Posted May 3, 2020 Author Share Posted May 3, 2020 I generated a new CA certificate and peer certificate agent with date 2030, but no work. CA certification authority not trusted? "CN=Server Certification Authority;C=US;" This is original certification authority and work with agent windows Link to comment Share on other sites More sharing options...
ESET Staff MartinK 383 Posted May 3, 2020 ESET Staff Share Posted May 3, 2020 It seems that your ESMC's certificate is signed using different CA certificate than your AGENT's certificate for macOS. In such case, you have to make sure that AGENT is installed with CA certificate that was used to sign ESMC's certificate: in this case it seems that different CA certificate was used (the one that was used to sign AGENT's certificate), which results in a state that AGENT is able to verify it's own certificate, but is is not able to verify ESMC's certificate and thus not connecting. In case you install AGENT with CA certificate used to sign ESMC's certificate (i.e. certificate required to verify ESMC's certificate), AGENT won't be able to verify it's own certificate until first successful connection -> after that, AGENT will receive all CA certificates stored in ESMC and since than AGENT should be able to verify both it's own and also ESMC's certificate. Link to comment Share on other sites More sharing options...
vanroy 0 Posted May 4, 2020 Author Share Posted May 4, 2020 The problem is CA certificate used to sign ESMC's certificate is a Valid To date of 2037 Certificates with a Valid To date of 2037 or later are not supported. It is not possible to parse a date variable from the Certification Authority on macOS. Link to comment Share on other sites More sharing options...
Recommended Posts