ERA v6 Certificates with own Certificate Authority

[AStevens.SHG 7]

So I understand in ERA v6 certificates are used for securing communications between ERA Server and ERA Agents, as part of the setup you can create a server certificate and an Agent certificate later on I believe. I think this option generates a CA within ERA server.

 

We have our own internal CA, and as such would like to utilise that for certificate generation, however the documentation is very sparse for the installer, what certificate is it asking for, and how do we create a suitable one from our CA, how to make the cert request, and what common name and subject alternative name DNS hostnames does it require?

 

We don't want any wasted certificates in there as I've read you can't remove them currently in ERA 6.1

 

It's not clear if you can create server and agent certificates outside of ERA v6 and import them in for use, or whether you need to create them inside ERA v6 using your CA, does that mean you need to import the CA certificate into ERA v6? We'd probably not want to do that, can we make a SubCA certificate from our CA for ESET RA to use to generate certificates?

 

I have an open ticket with support, but this is dragging on. Anyone else managed to get this setup working that can shine a light on this? Thanks.

 

Note: We are doing a component ERA Server installation on Windows (see this thread: https://forum.eset.com/topic/5630-installing-eset-remote-administrator-using-sql-2008-r2-failover-cluster-and-a-named-instance/ ), we are stuck at that point, but if we get past that, then it'll be this certificate stage we'll get stuck at again.

 

I ran through the installer a little further on a test system without the cluster SQL instance, and this suggests we just need a server certificate from our CA and don't need the CA certificate as such. Still the question remains on how to make the server certificate, what Subject Alternative DNS names are required, especially given our intended Cluster install. However, if we don't have a CA cert imported will that mean generating the Agent certificate will be harder (create outside of ESET and import), instead of being able to generate within ESET? If we make a SubCA cert and imported that into ESET will it then be able to generate Server and Agent certs easily in the ERA?

 

Edited August 18, 2015 by AStevens.SHG

[scott72 0]

I was able to get it to work with the following instructions.  Not ESETs,  I havent tinkered with the agent certs yet though.

 

https://forum.eset.com/topic/4986-era-v6-webconsole-ssl-certificate/

[AStevens.SHG 7]

Hi scott72, that thread is referring to the webconsole SSL certificate, which I suspect we will get to at some point and we have a commercial wildcard certificate I plan to use for that, and have some previous experience of keystores and getting that to all work, those instructions will be handy though at that stage.

 

 

At the moment it is specifically an ERA "Server" certificate the installer is asking for, and in our setup we'll have a cluster, so a least two node server names, plus a cluster name, plus the FQDN we'll be using for the cluster, possibly these are all needed in the certificate as subject alternative names?

 

I've tried using IIS or similar to make a request, for some reason it either complains about no template selected or doesn't generate one with the Subject Alternative Names. Normally products allow you to generate a CSR and then we load that into the CA.

 

Additionally, this article shows some later certificate creation and the sign method is either custom pfx file or Certificate Authority, which gives the impression I should generate a Subordinate CA certificate from our CA for the ERA to be a SubCA so it can sign new certs it makes?

Edited August 18, 2015 by AStevens.SHG

[AStevens.SHG 7]

Still looking at this one (as we've got a workaround for the Instance DB, which should hopefully work, I'm still doing this single test servers).

 

Scratching my head at the Installer option to "Load certificates from file" as opposed to "Generate new certificates", reviewing the ERA console after installation (using the generate option), it appears that you can't actually import a Certificate Authority, other than the Public Key to trust a "previous" server/setup, you can't import the private key and continue using it as before, I assume this is probably a design decision intended to be more "secure".

 

Therefore, if you do import certs at this stage, they're useless except to support previous clients setup with an older server, the new server will still need to make a new CA for new certs (agent/proxy) to deploy to clients.

 

There is an option to sign certs with a "Custom PFX" file, but does that mean every time we have to browse to the PFX file to sign a new Server, Agent, Proxy certificate?

 

Ideally, I just wanted to generate a request from ERA, go to our existing Certificate Authority, process a request using the "Subordinate Certificate Authority" template, and give the generated certificate to the ERA server, and be able to export the Private key from the ERA to keep as a backup and re-apply if necessary (db corruption, rebuild of db for some issue, moving to different SQL server and backing up/restoring of db not possible), I guess currently that's not supported and not possible?

 

A "Settings Export" from ERA console wouldn't go amiss either, yes you take regular backups of the SQL database, and probably best to keep a couple of them at pivotal moments indefinitely (like first setup).

Edited November 4, 2015 by AStevens.SHG

[AStevens.SHG 7]

So I'm trying to use a Custom PFX file to sign a Server Certificate, but it's not working, I've tried a Intermediate Cert PFX, I've tried an Intermediate Cert with the Root CA Cert in a PFX, and I've also tried just a RootCA Cert PFX file, it won't create and sign the Server Certificate.

 

Failed to create certificate: Creating and signing peer certificate failed. Check peer certificate validity, certification authority validity and their overlap.: Trace info: CreatePeerCertificate: Peer certificate validity is not fully covered by certification authority validity

 

Failed to create certificate: Creating and signing peer certificate failed. Check input parameters for invalid or reserved characters, check certification authority pfx/pkcs12 signing certificate and corresponding password.: Trace info: CreatePeerCertificate: CryptAcquireCertificatePrivateKey failed with Cannot find the certificate and private key for decryption. Error code: 0x8009200b

 

CreatePeerCertificate: PFXImportCertStore failed with Access denied. Error code: 0x80090010

[finzlbrother 0]

I am also interested in that topic. So far I have not found any information on how to use our own pki certificates within eset. 

I hope you find out a solution, but I guess it is just really really poorly implemented. 

 

A product that doesn't even have a certificate with any information on the clean install of it's web console and should be used via https looks totally unfinished. That thing came out long ago, I hope development wasn't abandoned. 

[dans 0]

Has anyone seen an update to this? Trying to figure out how to use our CA rather than the ESET built in one. 

[PF4Public 1]

For anyone interested, I've opened another topic with my findings on this.