Windows Clients and Servers Give 'peer certificate invalid'

[musicalvegan0 0]

Hi guys,

 

All of my Windows clients, including the ERA Server which is hosted on Windows, are reporting 'Peer Certificate Invalid' in the administrator webconsole and in the client's status.html file.

 

I've been fighting this issue for several weeks now. I've installed the server on both a CentOS host and Windows host in an attempt to solve the problem with no luck. Linux clients appear to approve the certificate without a problem even though the same CA and certificates are used for both Linux and Windows.

 

In Windows, I've tried generating a certificate using my domain's certificate authority; I've tried adding the ERA CA to the certificate trust on my Windows clients; all with no luck.

 

Here's an excerpt from a client's trace.log:

 

2015-08-28 17:58:44 Information: CAgentSecurityModule [Thread 1b78]: Checking agent peer certificate expiration in 30 days

2015-08-28 17:58:44 Information: SchedulerModule [Thread 1438]: Received message: RegisterSleepEvent

2015-08-28 17:58:44 Information: CAgentSecurityModule [Thread 1b78]: Agent peer certificate with subject 'CN=Agent at *, OU=OMITTED, O=OMITTED, L=OMITTED, S=OMITTED, C=US' issued by 'CN=ERA Certification Authority, OU=WYSU, O=OMITTED, L=OMITTED, S=OMITTED, C=US' with serial number '014b46df1ff16042c59f754523a2a9e40001' is invalid now

 

Any help would be much appreciated!

[Marcos 4,720]

It is not clear whether you have migrated ERAS from Windows to Linux. In such case, you'll need to export both the CA certificate and ERA Server certificate and import them on the new server.

[musicalvegan0 0]

Let me be more clear. This is not a migration problem. This is a brand new installation on my network. That being said, none of my Windows clients will validate their own peer certificate despite these facts:

• The certificate was generated by the ERA console and the ERA CA was installed in the client's certificate store
• The certificate was generated by a client-trusted certificate authority

Also, as far as I can tell, adding the certificate to the Windows certificate store should be an unnecessary step anyway since the installation instructions don't mention anything about installing certificates manually on clients. Installing to the certificate store was my idea in attempt to deduce a cause for the error message.

 

So the real question is why are none of my Windows clients validating the peer certificate? As I said before, Linux does not have a problem validating the VERY SAME certificate that is invalidated by my Windows clients, so clearly it has something to do with how the Windows agent tests the peer certificate.

 

I've decided to stop the installation of ESET Endpoint Security across my network until I can resolve this mess.

 

Any other ideas?

Edited August 31, 2015 by musicalvegan0

[Marcos 4,720]

After discussing it with the engineers, there are 2 possible solutions:

1, Wait a few days for ERA 6.2 which will bring an option to import a public key to the ERA CA certificate store. Once imported and replicated to clients, the agent's certificate should be validated fine.

2, Open the mmc console on a client. Add the snap-in Certificates. Select "Computer account" when asked to rule out that it was added just for a particular user account:

After opening the Certificates snap-in, navigate to Trusted Root Certification Authorities -> Certificates and make sure your custom CA certificate is listed there.

 

 

[musicalvegan0 0]

I can confirm that the above solution DOES NOT work for me. I exported the ERA CA's DER file and followed the steps above. After that didn't work, I even tried pushing out the certificate via Group Policy. This also did not work.