Applies to Kaspersky Administration Kit 8.0
An Administration Server certificate serves to authenticate Administration Server when connecting Administration Console, Client PCs and slave Servers to it using protected channel.
Protected connection to Server uses the SSL (Secure Socket Layer) protocol. The Server uses TCP port 13000 (by default) for it.
An administrator may choose not to use a protected channel. Then it is necessary to uncheck the box Use SSL connection in the Network Agent policy (for clients) or in the Connection to Administration Server window (by default, these boxes are checked).
An Administration Server certificate is created only once when you install the Administration Server. It is then distributed on client PCs and PCs with installed Administration Console (when establishing connection for the first time). When you create a hierarchy of Servers, certificates of slave Servers are saved on the master Server.
An Administration Server certificate consists of two parts:
- public part – klserver.cer file saved on the Administration Server in the application installation folder subfolder Cert (C:\Program Files\Kaspersky Lab\Kaspersky Administration Kit\Cert, by default).
- private Key saved in the Windows Protected Storage.
Client PCs receive the public part of a certificate. It saved in the Network Agent installation folder (C:\Program Files\Kaspersky Network Agent, by default).
Console holds the open part of a certificate in an msc file in user’s profile. If one Console is used to control more than one Administration Server (and they are not organized into a hierarchical structure), then such an msc file will be created for each Server connected via a SSL connection. An msc file also contains information about which Server it corresponds to.
During the next connections of Clients/Console to the Server, Private Key of the Server certificate is matched with a Public part saved on the Client/Console. If the match is positive, Server access is allowed. If it is negative, no connection will be established.
In case of a Server malfunction, you might need to reinstall it. Then you will need a backup database copy or a certificate copy to restore the logical network operability. If you have a backup copy, it is easy to restore network structure (groups, policies, tasks, etc.), and connection between client PCs and the new Administration Server. If you have only a Server certificate copy and you use it when installing a new Server, only connection between client PCs and the new Administration Serve will be restored (and you will have to create the network structure again).
There are two ways you can save a certificate copy: during Server installation, and after installation using utility klbackup.
In order to save a certificate copy using utility klbackup:
- Run the utility klbackup from the Administration Server installation folder (by default, C:\Program Files\Kaspersky Lab\Kaspersky Administration Kit).
- In the new window choose the option Backup Administration Server Data and check the box Restore or backup Administration Server Certificate only.
- Specify a folder to save the certificate to. You can also set a password to protect the certificate (recommended). Click Next. A folder containing the certificate will be created as defined.
In the same manner, using the klbackup utility you can restore from a backup copy the certificate only (if you want to rebuild your network structure). The certificate is restored directly into the Administration Server, not into some separate folder.