Jump to content

Windows Clients and Servers Give 'peer certificate invalid'


Recommended Posts

Hi guys,

 

All of my Windows clients, including the ERA Server which is hosted on Windows, are reporting 'Peer Certificate Invalid' in the administrator webconsole and in the client's status.html file.

 

I've been fighting this issue for several weeks now. I've installed the server on both a CentOS host and Windows host in an attempt to solve the problem with no luck. Linux clients appear to approve the certificate without a problem even though the same CA and certificates are used for both Linux and Windows.

 

In Windows, I've tried generating a certificate using my domain's certificate authority; I've tried adding the ERA CA to the certificate trust on my Windows clients; all with no luck.

 

Here's an excerpt from a client's trace.log:

 

2015-08-28 17:58:44 Information: CAgentSecurityModule [Thread 1b78]: Checking agent peer certificate expiration in 30 days
2015-08-28 17:58:44 Information: SchedulerModule [Thread 1438]: Received message: RegisterSleepEvent
2015-08-28 17:58:44 Information: CAgentSecurityModule [Thread 1b78]: Agent peer certificate with subject 'CN=Agent at *, OU=OMITTED, O=OMITTED, L=OMITTED, S=OMITTED, C=US' issued by 'CN=ERA Certification Authority, OU=WYSU, O=OMITTED, L=OMITTED, S=OMITTED, C=US' with serial number '014b46df1ff16042c59f754523a2a9e40001' is invalid now
 
Any help would be much appreciated!
Link to comment
Share on other sites

  • Administrators

It is not clear whether you have migrated ERAS from Windows to Linux. In such case, you'll need to export both the CA certificate and ERA Server certificate and import them on the new server.

Link to comment
Share on other sites

Let me be more clear. This is not a migration problem. This is a brand new installation on my network. That being said, none of my Windows clients will validate their own peer certificate despite these facts:

  • The certificate was generated by the ERA console and the ERA CA was installed in the client's certificate store
  • The certificate was generated by a client-trusted certificate authority

Also, as far as I can tell, adding the certificate to the Windows certificate store should be an unnecessary step anyway since the installation instructions don't mention anything about installing certificates manually on clients. Installing to the certificate store was my idea in attempt to deduce a cause for the error message.

 

So the real question is why are none of my Windows clients validating the peer certificate? As I said before, Linux does not have a problem validating the VERY SAME certificate that is invalidated by my Windows clients, so clearly it has something to do with how the Windows agent tests the peer certificate.

 

I've decided to stop the installation of ESET Endpoint Security across my network until I can resolve this mess.

 

Any other ideas?

Edited by musicalvegan0
Link to comment
Share on other sites

  • Administrators

After discussing it with the engineers, there are 2 possible solutions:

1, Wait a few days for ERA 6.2 which will bring an option to import a public key to the ERA CA certificate store. Once imported and replicated to clients, the agent's certificate should be validated fine.

2, Open the mmc console on a client. Add the snap-in Certificates. Select "Computer account" when asked to rule out that it was added just for a particular user account:

post-10-0-58922500-1441030507_thumb.png

After opening the Certificates snap-in, navigate to Trusted Root Certification Authorities -> Certificates and make sure your custom CA certificate is listed there.

 

 

Link to comment
Share on other sites

  • 2 weeks later...

I can confirm that the above solution DOES NOT work for me. I exported the ERA CA's DER file and followed the steps above. After that didn't work, I even tried pushing out the certificate via Group Policy. This also did not work.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...