Replacing the SSL Certificate
Quick links: Importing the New Certificate, Replacing the ESA Certificate, Replacing the ESA IdP Connector Certificate
The Authentication Server and API utilize an SSL certificate to secure communications from eavesdropping. The installer automatically selects an appropriate certificate installed on the machine or generates a new self-signed certificate if none is found.
This section explains how to replace the certificate with another of your choosing. It helps you to import your new certificate into Windows and then use it for ESA.
Prerequisites
To follow this guide, you will need:
•An installation of the ESA Authentication Server component
•Administrator access to the computer where ESET Secure Authentication On-Prem is installed
•The SSL certificate you want to use in PKCS12 format (.pfx or .p12)
oThe certificate file must contain a copy of the private key as well as the public key
Importing the New Certificate
The new certificate must be placed in the Local Machine\Personal store before use.
1.Launch the Microsoft Management Console (MMC):
a.Click Start > type “mmc.EXE” and press Enter.
2.Add the Certificates snap-in:
a.Click File > Add/Remove Snap-in.
b.Select Certificates from the left-hand column.
c.Click Add.
d.Select Computer account.
e.Click Next.
f.Select Local computer.
g.Click Finish.
h.Click OK.
3.To save the snap-in for future use, click File > Save.
4.Select the Certificates (Local Computer) > Personal node in the tree.
5.Right-click and select All tasks > Import.
6.Follow the Import Wizard, be sure to add the certificate in the Personal certificate store location.
7.Double-click the certificate and verify the line You have a private key that corresponds to this certificate is displayed.
Replacing the ESA Certificate
The Authentication Server does not start without a certificate The ESACore (Authentication Server) service will not start up without a certificate configured. If you remove the certificate, you must add another before the ESACore service will run correctly. |
Determine the correct certificate to use
1.Open the MMC Certificates Manager using the steps above.
2.In the Personal folder, double-click the applicable certificate.
3.In the General tab, verify the You have a private key that corresponds to this certificate message is displayed.
4.In the Details tab, select the Thumbprint field.
5.The certificate thumbprint is displayed in the bottom pane (sets of two hex digits separated by spaces).
Windows Server 2008+
1.Click Start > type cmd.EXE.
2.In the list of programs, right-click the cmd.EXE item and select Run as administrator.
3.Type netsh http show sslcert ipport=0.0.0.0:8001 and press Enter.
4.Copy and paste the Certificate Hash field somewhere safe ifse you want to re-add the existing certificate.
5.Type netsh http delete sslcert ipport=0.0.0.0:8001 and press the Enter key.
6.You should see SSL Certificate successfully deleted.
7.Type netsh http add sslcert ipport=0.0.0.0:8001 appid={BA5393F7-AEB1-4AC6-B759-1D824E61E442} certhash=<THUMBPRINT>, but replace <THUMBPRINT> with the values from the certificate thumbprint without any spaces and press Enter.
8.You should see SSL Certificate successfully added.
9.Restart the ESACore service for the new certificate to take effect.
Replacing the ESA IdP Connector Certificate
1.On your Windows Server, launch Internet Information Services (IIS) Manager.
2.Navigate to <your_domain> > Sites.
3.Right-click and select ESA Identity Provider Connector > Edit Bindings.
4.Double-click https.
5.Select the new certificate from SSL certificate.
6.Click OK > Close.
To change the port of ESA IdP Connector:
1.On your Windows Server, launch Internet Information Services (IIS) Manager.
2.Navigate to <your_domain> > Sites.
3.Right-click and select ESA Identity Provider Connector > Edit Bindings.
4.Double-click https.
5.Change the Port value.
6.Click OK > Close.
The IdP Connector certificate private key is readable only by the Local System user; therefore, there can be a problem in re-configuring binding in the IIS manager on some systems. If you encounter this problem, you can generate a custom certificate and replace the default one. |