Jump to content

Automate MDM HTTPS Certificate installation [Linux]


Recommended Posts

We have a clean Eset Protect v10 installed on Ubuntu. The same server also contains the MDM installation. The whole installation was generally without problems. All installed, all activated.

For Eset Protect Console I have a certificate from Let's Encrypt (certbot) which is automatically renewed every 2 or 3 months and through a post-hook I copy the needed files to the tomcat9 folder and restart the service so the new certificate is used.

I used the openssl command to create a PFX file from the PEM files that Let's Encrypt generated (found it on the forums here) and used that while installing MDM. All went well and when accessing the <mdm serverhostname>:9980 the certificate is working well.

In my Protect console there is an error about the certificatechain however. I did some more reading and the conclusion is that the CA part is missing from the generated certificates. This leaves me with 3 questions:

1) I can get the needed root certificate from Chain of Trust - Let's Encrypt (letsencrypt.org). Do I need the self-signed ISRG root X1 certificate or the cross-signed ISRG root X1 certificate?

2) I assume the PEM version is the logical choice as the generated certificates are also PEM files. Can I just add another "-in <cacert.pem>" in my openssl command to add the ca certificate into the resulting pfx file? Or do I need to concatenate the pem files? 

3) How do I inject the auto-renewed certificate into MDM? I know normally it is done with an MDM policy but as these are shortlived certificates I need to automate it. I already searched through the install script to see if there was a command to inject the certificates and it seems to be linked to "multiagentcertificate" but I don't have enough linux/bash knowledge to find out if it is possible to create a script to do this. I also found compiled scripts "customaction.sh" and looked at the help but again, not sure if this can be utilized to fullfill my needs. Is there a way to automate https script injection from the shell?  

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...