Jump to content

Migrating to a new server


Recommended Posts

I'm following this guide:

https://help.eset.com/esmc_install/70/en-US/clean_installation_different_ip.html

However when I try to create a new certificate on an old server, it doesn't let me. I get an error:

Quote

Failed to create certificate: Creating and signing peer certificate failed. Check input parameters for invalid or reserved characters, check certification authority pfx/pkcs12 signing certificate and corresponding password.: Trace info: CreatePeerCertificate: PFXImportCertStore failed with The specified network password is not correct. Error code: 0x56

Does it mean CA requires a password? What if I don't remember my CA password?

Edited by Arekn
formatting
Link to post
Share on other sites
  • Administrators

If you don't remember the password you will need to re-deploy agent using the new CA and peer agent certificate that are generated during installation of the ESMC server after migrating the db to the new server.

Link to post
Share on other sites
  • ESET Staff

There are actually two alternatives:

  1. You do not need to create new certificate in case old one contains "asterix" in common name, i.e. in case it was signed in a way that it can be used on new hostname. If this is confirmed, you can re-use existing SERVER certificate without creating new one. Once client are migrated, I would recommend to create new certificate on new ESMC, to be sure it has latest possible parameters and validity is extended.
  2. You can create new CA certificate and SERVER peer certificate on old ESMC server. You just has to ensure that this new CA certificate is distributed to each client before migration policy is applied - but this is automatic in case proper order of steps will be used.
Link to post
Share on other sites
14 hours ago, MartinK said:
  1. You do not need to create new certificate in case old one contains "asterix" in common name, i.e. in case it was signed in a way that it can be used on new hostname. If this is confirmed, you can re-use existing SERVER certificate without creating new one. Once client are migrated, I would recommend to create new certificate on new ESMC, to be sure it has latest possible parameters and validity is extended.

By SERVER certificate you mean peer server certificate? Or CA? Because I can't find a way to import a server peer certificate that I exported from the old server. I can only import CA.

Link to post
Share on other sites
  • ESET Staff
47 minutes ago, Arekn said:

By SERVER certificate you mean peer server certificate? Or CA? Because I can't find a way to import a server peer certificate that I exported from the old server. I can only import CA.

You cannot import it into console for further management, but when setting certificate in ESMC's server settings, you can "upload" arbitrary certificate, and that is the way. As you won't be able to import it, it would be ideal to replace it later with certificate generated in new ESMC, but this will be possible once all agents are migrated to new server and actively connecting.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...