Replacing the SSL Certificate

The Authentication Server and API utilize an SSL certificate to secure communications from eavesdropping. The installer automatically selects an appropriate certificate installed on the machine or generates a new self-signed certificate if none is found.

This section explains how to replace the certificate with another of your choosing. It helps you to import your new certificate into Windows and then use it for ESA.

Prerequisites

To follow this guide, you will need:

An installation of the ESA Authentication Server component

Administrator access to the computer where ESET Secure Authentication is installed

The SSL certificate you wish to use in PKCS12 format (.pfx or .p12)

oThe certificate file must contain a copy of the private key as well as the public key

Importing the New Certificate

The new certificate must be placed in the Local Machine\Personal store before use.

1.Launch the Microsoft Management Console (MMC):

a.Click Start > type “mmc.EXE” and press Enter.

2.Add the Certificates snap-in:

a.Click File > Add/Remove Snap-in.

b.Select Certificates from the left-hand column.

c.Click Add.

d.Select Computer account.

e.Click Next.

f.Select Local computer.

g.Click Finish.

h.Click OK.

3.To save the snap-in for future use, click File > Save.

4.Select the Certificates (Local Computer) > Personal node in the tree.

5.Right-click and select All tasks > Import.

6.Follow the Import Wizard, be sure to add the certificate in the Personal certificate store location.

7.Double-click the certificate and verify the line You have a private key that corresponds to this certificate is displayed.

Replacing the ESA Certificate

note

The Authentication Server does not start without a certificate

The ESACore (Authentication Server) service will not start up without a certificate configured. If you remove the certificate, you must add another before the ESACore service will run correctly.

Determine the correct certificate to use

1.Open the MMC Certificates Manager using the steps above.

2.In the Personal folder, double-click the applicable certificate.

3.In the General tab, verify the You have a private key that corresponds to this certificate message is displayed.

4.In the Details tab, select the Thumbprint field.

5.The certificate thumbprint is displayed in the bottom pane (sets of two hex digits separated by spaces).

Windows Server 2008+

1.Click Start > type cmd.EXE.

2.In the list of programs, right-click the cmd.EXE item and select Run as administrator.

3.Type netsh http show sslcert ipport=0.0.0.0:8001 and press Enter.

4.Copy and paste the Certificate Hash field somewhere safe ifse you want to re-add the existing certificate.

5.Type netsh http delete sslcert ipport=0.0.0.0:8001 and press the Enter key.

6.You should see SSL Certificate successfully deleted.

7.Type netsh http add sslcert ipport=0.0.0.0:8001 appid={BA5393F7-AEB1-4AC6-B759-1D824E61E442} certhash=<THUMBPRINT>, but replace <THUMBPRINT> with the values from the certificate thumbprint without any spaces and press Enter.

8.You should see SSL Certificate successfully added.

9.Restart the ESACore service for the new certificate to take effect.

Replacing the ESA IdP Connector Certificate

1.On your Windows Server, launch Internet Information Services (IIS) Manager.

2.Navigate to <your_domain> > Sites.

3.Right-click and select ESA Identity Provider Connector > Edit Bindings.

4.Double-click https.

5.Select the new certificate from SSL certificate.

6.Click OK > Close.