Arekn 0 Posted December 1, 2020 Share Posted December 1, 2020 (edited) I'm following this guide: https://help.eset.com/esmc_install/70/en-US/clean_installation_different_ip.html However when I try to create a new certificate on an old server, it doesn't let me. I get an error: Quote Failed to create certificate: Creating and signing peer certificate failed. Check input parameters for invalid or reserved characters, check certification authority pfx/pkcs12 signing certificate and corresponding password.: Trace info: CreatePeerCertificate: PFXImportCertStore failed with The specified network password is not correct. Error code: 0x56 Does it mean CA requires a password? What if I don't remember my CA password? Edited December 1, 2020 by Arekn formatting Link to comment Share on other sites More sharing options...
Administrators Marcos 4,694 Posted December 1, 2020 Administrators Share Posted December 1, 2020 If you don't remember the password you will need to re-deploy agent using the new CA and peer agent certificate that are generated during installation of the ESMC server after migrating the db to the new server. Link to comment Share on other sites More sharing options...
ESET Staff MartinK 375 Posted December 1, 2020 ESET Staff Share Posted December 1, 2020 There are actually two alternatives: You do not need to create new certificate in case old one contains "asterix" in common name, i.e. in case it was signed in a way that it can be used on new hostname. If this is confirmed, you can re-use existing SERVER certificate without creating new one. Once client are migrated, I would recommend to create new certificate on new ESMC, to be sure it has latest possible parameters and validity is extended. You can create new CA certificate and SERVER peer certificate on old ESMC server. You just has to ensure that this new CA certificate is distributed to each client before migration policy is applied - but this is automatic in case proper order of steps will be used. Link to comment Share on other sites More sharing options...
Arekn 0 Posted December 2, 2020 Author Share Posted December 2, 2020 14 hours ago, MartinK said: You do not need to create new certificate in case old one contains "asterix" in common name, i.e. in case it was signed in a way that it can be used on new hostname. If this is confirmed, you can re-use existing SERVER certificate without creating new one. Once client are migrated, I would recommend to create new certificate on new ESMC, to be sure it has latest possible parameters and validity is extended. By SERVER certificate you mean peer server certificate? Or CA? Because I can't find a way to import a server peer certificate that I exported from the old server. I can only import CA. Link to comment Share on other sites More sharing options...
ESET Staff MartinK 375 Posted December 2, 2020 ESET Staff Share Posted December 2, 2020 47 minutes ago, Arekn said: By SERVER certificate you mean peer server certificate? Or CA? Because I can't find a way to import a server peer certificate that I exported from the old server. I can only import CA. You cannot import it into console for further management, but when setting certificate in ESMC's server settings, you can "upload" arbitrary certificate, and that is the way. As you won't be able to import it, it would be ideal to replace it later with certificate generated in new ESMC, but this will be possible once all agents are migrated to new server and actively connecting. Link to comment Share on other sites More sharing options...
Recommended Posts