Skip to main content

"Peer certificate is expiring soon" error in ESET Remote Administrator (6.x) - Kennisbank / ESET Security Management Center / Legacy ESET Remote Administrator (6.x / 5.x / 4.x) / 6.x - ESET Tech Center

"Peer certificate is expiring soon" error in ESET Remote Administrator (6.x)

Authors list

https://support.eset.com/kb6021

Issue

  • “Peer certificate is expiring soon” or “Peer certificate is invalid” message in ERA Web Console
  • Endpoints stop checking in to ESET Remote Administrator

Figure 1-1
Click the image to view larger in new window

Solution

See the following article if you do not know how to create a new peer certificate or Certification Authority:

 

Permissions changes in ESET Remote administrator 6.5 and later

Before proceeding, please note important changes to user access rights and permissions in the latest versions of ESET Remote Administrator.

 

 

A user must have the following permissions for the group that contains the modified object:

Functionality Read Use Write
Certificates

Once these permissions are in place, follow the steps bellow.

NOTE:

Peer certificates and Certification Authority created during the installation are by default contained in the static group All.

Scenario 1: Agent Certificate is expiring soon

Agents are connecting to ERA Server. Make sure that Agent certificate will not expire sooner than its expiration date.

  1. Create a new Agent peer certificate.
     
  2. Create and apply a new ESET Remote Administrator Agent policy and distribute the newly created Agent peer certificate.

Do not delete the old certificate until the new certificate is applied on all Agents.

Scenario 2: Agent Certificate is invalid (expired)

If Agents cannot connect to ERA Server, redeploy the ERA Agent on all machines that use the expired Agent certificate.

  1. Create a new Agent peer certificate:
    • After successfully creating the Agent certificate, it will be available in the Certificates list (Admin → Certificates → Peer Certificates) to use when installing the Agent.
       
  2. Redeploy the Agent with the new Agent peer certificate.

Scenario 3: Server Certificate is expiring soon

If the Certification Authority is expired too, proceed with the Scenario 5 instead of this scenario.

  1. Create a new Server certificate (select Server from the Product drop-down menu).
     
  2. Select your new ERA Server certificate.

Scenario 4: Server Certificate is invalid (expired)

Agents cannot connect to ERA Server because the Server certificate is expired. After setting up a new Server certificate, Agents with a valid certificate will be able to connect to ERA Server.

If the Certification Authority is expired too, proceed with the Scenario 6 instead of this scenario.

  1. Create a new Server certificate (select Server from the Product drop-down menu).
     
  2. Select your new ERA Server certificate.

Scenario 5: Certification Authority is expiring soon

Agents are connecting to ERA Server, however, after creating a new certification authority (CA), all certificates you use must be replaced: Server, Agent, MDM, Proxy, Virtual Agent Host.

  1. Create a new CA and be sure to use a new Common Name different from the expired CA.
     
  2. Create a new Server certificate (select Server from the Product drop-down menu) and sign it with the newly created CA.
     
  3. Create new certificates for other product components as needed (Agent, MDM, Proxy, Virtual Agent Host).
     
  4. Create and apply a new ESET Remote Administrator Agent policy and distribute the newly created Agent peer certificate.
     
  5. Apply other peer certificates using policies.
     
  6. Wait for replication of the new certificate and certification authority to all Agents.
     
  7. Wait for replication of the new certificate and certification authority to all other product components (if used).
     
  8. Select your new ERA Server certificate.

Do not delete the expiring CA until new certificates are applied on all components.

Scenario 6: Certification Authority is invalid (expired)

Agents cannot connect to ERA Server. Create a new certification authority (CA). All certificates you use must be replaced: Server, Agent, MDM, Proxy, Virtual Agent Host.

  1. Create a new CA and be sure to use a new Common Name different from the expired CA.
  1. Create a new Server certificate (select Server from the Product drop-down menu) and sign it with the newly created CA.
  1. Create new certificates for other product components as needed (Agent, MDM, Proxy, Virtual Agent Host).
     
  2. Redeploy the Agent with the new Agent peer certificate.
     
  3. If you use other ERA components, such as ERA Proxy, repair the ERA Proxy installation and use the newly created certificate.
     
  4. Select your new ERA Server certificate.

 


Troubleshooting logs

When a client computer does not appear to be connecting to your ERA Server, we recommend that you perform ERA Agent troubleshooting locally on the client machine. See the following ESET Online Help topic for more information.

 

 

 

Add a comment

Please log in or register to submit a comment.

Need a password reminder?