Custom certificates with ERA

If you have your own PKI (public key infrastructure) within your environment and want ESET Remote Administrator to use your custom certificates for communication between its components, the following steps will guide you through the process of setting it all up.


The example shown below was performed on a Windows Server 2012 R2. In case you are using different version of Windows Server, some screens may slightly vary for you, buy the objective of the procedure remains the same.

Required server roles:

Active Directory Certificate Services (AD CS).

Active Directory Domain Services.

1.Open Management Console and add Certificates Snap-ins:

Log on to the server as a member of the local Administrator group.

Run mmc.exe to open Management Console.

Click File in the top menu and select Add/Remove Snap-in… (or press CTRL+M).

Select Certificates in the left pane and click Add button.


Select Computer Account and click Next.

Make sure Local Computer is selected (default) and click Finish.

Click OK.

2.Create Custom Certificate Request:

Double-click Certificates (Local Computer) to expand it.

Double-click Personal to expand it. Right-click Certificates and select All Tasks > Advanced Operations and choose Create Custom Request...


Certificate Enrollment wizard window will open, click Next.

Select the Proceed without enrollment policy option and click Next to continue.


Choose (No Template) Legacy Key from the drop-down list and make sure that PKCS #10 Request format is selected. Click Next.


Expand Details section by clicking the arrow pointing down, then click Properties button.


In the General tab, type in Friendly name for your certificate, you can also type Description (optional).

In the Subject tab, do the following:

In Subject name section, choose Common Name from the drop-down list under Type and enter era server into the Value field, then click Add button. CN=era server will appear in the information box on the right. If you are creating certificate request for ERA Agent or ERA Proxy, type era agent or era proxy to the value field of Common name.


Common Name must contain one of these strings: "server", "agent" or "proxy", depending on which Certificate Request you want to create.


In Alternative name section, choose DNS from the drop-down list under Type and enter * (asterisk) into the Value field, then click Add button.

In the Extensions tab, expand Key usage section by clicking the arrow pointing down. Add the following from the Available options: Digital signature, Key agreement, Key encipherment. Deselect Make these key usages critical option using the checkbox.


In the Private Key tab, do the following:

Expand Cryptographic Service Provider section by clicking the arrow pointing down. You'll see a list of all cryptographic service providers (CSP). Make sure that only Microsoft RSA SChannel Cryptographic Provider (Encryption) is selected.


Deselect all other CSPs (except the Microsoft RSA SChannel Cryptographic Provider (Encryption) which must be selected).


Expand Key Options section. In the Key size menu, select a value of at least 2048. Select Make private key exportable.

Expand Key Type section, select Exchange option. Click Apply, and check your settings.

Click OK button. Certificate information will be displayed, and click then Next button to continue. Click on Browse button to select the location where the certificate signing request (CSR) will be saved. Type the file name and make sure the Base 64 is selected.


Click Finish button, your CSR now has been generated.

3.Import Custom Certificate Request and Issue Custom Certificate from Pending Requests.

Open Server Manager, click Tools > Certification Authority.

In the Certification Authority (Local) tree, select Your Server (usually FQDN) > Properties > Policy Module tab, click Properties... button. Make sure you have Set the certificate request status to pending. The administrator must explicitly issue the certificate option selected. If not, use the radio button to select this option. Otherwise, it will not work properly. In case you've changed this setting, restart Active Directory certificate services.


In the Certification Authority (Local) tree, select Your Server (usually FQDN) > All Tasks > Submit new request... and navigate to previously generated CSR file in step 2.

Certificate will be added into Pending Requests. Select the CSR in the right navigation pane. In the Action menu, select All Tasks > Issue.


4.Export Issued Custom Certificate to .tmp file.

Click Issued Certificates in the left pane. Right-click the certificate you want to export, click All Tasks > Export Binary Data...

In the Export Binary Data dialog, choose Binary Certificate from the drop-down list and in Export options, click Save binary data to a file and then click OK.


In the Save Binary Data dialog box, move to the file location where you want to save the certificate, and then click Save.

5.Import created .tmp file.

Go to Certificate (Local Computer) > right-click Personal, select All Tasks > Import...

Click Next...

Locate previously saved .tmp binary file using Browse... click Open. Select Place all certificates in the following store > Personal. Click Next.

The certificate will be imported after you click Finish.

6.Export Certificate including private key to .pfx file.

In the Certificates (Local Computer) expand Personal and click Certificates, select created certificate that you want to export, on the Action menu, point to All Tasks > Export...

In the Certificate Export Wizard, click Yes, export the private key. (This option will appear only if the private key is marked as exportable and you have access to the private key.)

Under Export File Format, select To include all certificates in the certification path, select the Include all certificates in the certification path if possible check box and then click Next.


Password, type a password to encrypt the private key you are exporting. In Confirm password, type the same password again, and then click Next.


File name, type a file name and path for the .pfx file that will store the exported certificate and private key. Click Next, and then click Finish.

7.Once you have your custom .pfx certificate file created, you can configure ERA components to use it.


The above example shows you how to create ERA Server certificate. Repeat the same steps for ERA Agent and ERA Proxy certificates. ERA Proxy certificate can be used by ERA MDM.

Configure ERA Server to start using custom .pfx certificate.

To get ERA Agent or ERA Proxy, ERA MDM to use custom .pfx certificate, run repair of the appropriate component. Navigate to Start > Program and Features, right-click ESET Remote Administrator Agent and select Change. Click Next button and run Repair. Click Next leaving Server host and Server port as they were. Click Browse button next to Peer certificate and locate custom .pfx certificate file. Type in the certificate's password you've specified in step 6. Click Next and complete the repair. ERA Agent is now using custom .pfx certificate.