Replacing the SSL Certificate

The API utilizes an SSL certificate to secure API communications from eavesdropping. The installer automatically selects an appropriate certificate installed on the machine, or generates a new self-signed certificate if another cannot be found.

This section explains how to replace the certificate with another of your choosing. It will first help you to import your new certificate into Windows, and then use it for ESA.

Prerequisites

In order to follow this guide you will need:

An installation of the ESA Authentication Server component

Administrator access to the computer where ESET Secure Authentication is installed

The SSL certificate you wish to use in PKCS12 format (.pfx or .p12)

oThe certificate file needs to contain a copy of the private key as well as the public key

note

Note

The ESA Authentication API does not have to be enabled in order to replace the certificate.

Importing the New Certificate

The new certificate needs to be placed in the Local Machine\Personal store before it can be used.

1.Launch the Microsoft Management Console (MMC):

a.Start -> Type “mmc.exe” and press the Enter key

2.Add the Certificates snap-in:

a.Click File -> Add/Remove Snap-in

b.Select Certificates from the left-hand column

c.Click the Add button

d.Select Computer account

e.Click Next

f.Select Local computer

g.Click Finish

h.Click OK

3.Optionally save the snap-in for future use (File -> Save).

4.Select the Certificates (Local Computer) -> Personal node in the tree.

5.Right-click -> All tasks -> Import....

6.Follow the Import Wizard, taking care to place the certificate in the Personal certificate store location.

7.Double-click the certificate and make sure the line You have a private key that corresponds to this certificate is displayed.

Replacing the ESA Certificate

note

Note

The ESACore (Authentication Server) service will not start up without a certificate configured. If you remove the certificate, you must add another before the ESACore service will run correctly.

Determine the correct certificate to use

1.Open the MMC Certificates Manager using the steps above.

2.Find the certificate you wish to use in the Personal folder and double-click it.

3.Make sure you see You have a private key that corresponds to this certificate on the General tab.

4.On the Details tab, select the Thumbprint field.

5.The certificate thumbprint is displayed in the bottom pane (sets of two hex digits separated by spaces).

Windows Server 2008+

1.Click Start -> Type “cmd.exe”.

2.In the list of programs, right-click the cmd.exe item and select Run as administrator.

3.Type “netsh http show sslcert ipport=0.0.0.0:8001” and press the Enter key.

4.Copy and paste the Certificate Hash field somewhere safe, in case you want to re-add the existing certificate.

5.Type “netsh http delete sslcert ipport=0.0.0.0:8001” and press the Enter key.

6.You should see SSL Certificate successfully deleted.

7.Type “netsh http add sslcert ipport=0.0.0.0:8001 appid={BA5393F7-AEB1-4AC6-B759-1D824E61E442} certhash=<THUMBPRINT>”, replacing <THUMBPRINT> with the values from the certificate thumbprint without any spaces and press the Enter key.

8.You should see SSL Certificate successfully added.

9.Restart the ESACore service for the new certificate to take effect.