Certificates with validity ending after year 2037 are not supported on Mac OS X

[vanroy 0]

 

Hello, 

For resolve this only can create new certificate authority with date for example 2030? 

Certificates with validity ending after year 2037 are not supported on Mac OS X. It is not possible to parse a date variable from the Certificate Authority on Mac OS X. The Agent cannot connect, because OS X cannot accept the Certificate Authority.

[MartinK 378]

Yes, just ensure that both CA certificate and peer certificate are not extending validity beyond 2037.

[vanroy 0]

In the case of peer certificate only agent certificate is necesary? or also server certificate with date 2030 is necessary ? 

 

[Marcos 5,074]

No, the CA certificate must not be valid beyond 2037 either:

https://support.eset.com/en/kb6737-create-a-new-certificate-or-certification-authority-in-eset-security-management-center-7x

Certificates with a Valid To date of 2037 or later are not supported. It is not possible to parse a date variable from the Certification Authority on macOS. The Agent cannot connect, because macOS is unable to accept the Certification Authority.

[vanroy 0]

I generated a new CA certificate and peer certificate agent with date 2030, but no work,

the agent for mac is not  comunicate on the console ESMC. 

The question is, 

Is necessary create a new peer server certificate  with date  example 2030? 

I THINK will affects my windows agents communications 

[Marcos 5,074]

Yes, you should create a new CA certificate with the "valid to" date not beyond 2036. As long as both CA certificates exist, you can generate a different peer certificate for use on Mac and use the existing peer certificate for already installed agents on Windows.

[vanroy 0]

I generated a new CA certificate and peer certificate agent with date 2030, but no work. 

CA certification authority not trusted? 

 

 

"CN=Server Certification Authority;C=US;"  This is original certification authority and  work with agent windows 

[MartinK 378]

It seems that your ESMC's certificate is signed using different CA certificate than your AGENT's certificate for macOS. In such case, you have to make sure that AGENT is installed with CA certificate that was used to sign ESMC's certificate: in this case it seems that different CA certificate was used (the one that was used to sign AGENT's certificate), which results in a state that AGENT is able to verify it's own certificate, but is is not able to verify ESMC's certificate and thus not connecting.

In case you install AGENT with CA certificate used to sign ESMC's certificate (i.e. certificate required to verify ESMC's certificate), AGENT won't be able to verify it's own certificate until first successful connection -> after that, AGENT will receive all CA certificates stored in ESMC and since than AGENT should be able to verify both it's own and also ESMC's certificate.

 

[vanroy 0]

 The problem is CA certificate used to sign ESMC's certificate is a Valid To date of 2037

 

Certificates with a Valid To date of 2037 or later are not supported. It is not possible to parse a date variable from the Certification Authority on macOS.