Support

Support for business applications

Kaspersky XDR Expert

Deployment of Kaspersky Next XDR Expert

Kaspersky Next XDR Expert maintenance

Using certificates for public Kaspersky Next XDR Expert services

Kaspersky Next XDR Expert
Online Help
FAQ Forum Contact support Recovery tools

Using certificates for public Kaspersky Next XDR Expert services

May 15, 2024

ID 270710

Get as PDF

For working with public Kaspersky Next XDR Expert services, you can use self-signed or custom certificates. By default, Kaspersky Next XDR Expert uses self-signed certificates.

Certificates are required for the following Kaspersky Next XDR Expert public services:

  • console.<smp_domain>—Access to the OSMP Console functionality.
  • admsrv.<smp_domain>—Access to the Administration Server functionality.
  • api.<smp_domain>—Access to the Kaspersky Next XDR Expert API functionality.

The list of addresses of public Kaspersky Next XDR Expert services, for which self-signed or custom certificates are defined during the deployment, is specified in the pki_fqdn_list installation parameter.

A custom certificate must be specified as a file in the PEM format that contains the complete certificate chain (or only one certificate) and an unencrypted private key.

You can specify the intermediate certificate from your organization's private key infrastructure (PKI). Custom certificates for public Kaspersky Next XDR Expert services are issued from this custom intermediate certificate. Alternatively, you can specify leaf certificates for each of the public services. If leaf certificates are specified only for a part of the public services, then self-signed certificates are issued for the other public services.

For the console.<smp_domain> and api.<smp_domain> public services, you can specify custom certificates only before the deployment in the configuration file. Specify the intermediate_bundle and intermediate_enabled installation parameters to use the custom intermediate certificate.

If you want to use the leaf custom certificates to work with the public Kaspersky Next XDR Expert services, specify the corresponding console_bundle, admsrv_bundle, and api_bundle installation parameters. Set the intermediate_enabled parameter to false and do not specify the intermediate_bundle parameter.

For the admsrv.<smp_domain> service, you can replace the issued Administration Server self-signed certificate with a custom certificate by using the klsetsrvcert utility.

Automatic rotation of certificates is not supported. Take into account the validity term of the certificate, and then update the certificate when it expires.

To update custom certificates:

  1. On the administrator host, export the current version of the configuration file.
  2. In the exported configuration file, specify the path to a new custom intermediate certificate in the intermediate_bundle installation parameter. If you use the leaf custom certificates for each of the public services, specify the console_bundle, admsrv_bundle, and api_bundle installation parameters.
  3. Run the following command and specify the path to the modified configuration file:

    ./kdt apply -i <path_to_configuration_file>

Custom certificates are updated.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.