To replace the Administration Server certificate:
From the command line, run the following utility:
klsetsrvcert [-t <type> {-i <inputfile> [-p <password>] [-o <chkopt>] | -g <dnsname>}][-f <time>][-r <calistfile>][-l <logfile>]
You do not need to download the klsetsrvcert utility. It is included in the Kaspersky Security Center distribution kit. It is not compatible with previous Kaspersky Security Center versions.
The description of the klsetsrvcert utility parameters is presented in the table below.
Values of the klsetsrvcert utility parameters
Parameter |
Value |
---|---|
|
Type of certificate to be replaced. Possible values of the
|
|
Schedule for changing the certificate, using the format "DD-MM-YYYY hh:mm" (for ports 13000 and 13291). Use this parameter if you want to replace the common or common reserve certificate before it expires. Specify the time when managed devices must synchronize with Administration Server on a new certificate. |
|
Container with the certificate and a private key in the PKCS#12 format (file with the .p12 or .pfx extension). |
|
Password used for protection of the p12 container. The certificate and a private key are stored in the container, therefore, the password is required to decrypt the file with the container. |
|
Certificate validation parameters (semicolon separated). To use a custom certificate without signing permission, specify To change encryption key length for certificate types C or CR, specify |
|
A new certificate will be created for the specified DNS name. |
|
Trusted root Certificate Authority list, format PEM. |
|
Results output file. By default, the output is redirected into the standard output stream. |
For example, to specify the custom Administration Server certificate, use the following command:
klsetsrvcert -t C -i <inputfile> -p <password> -o NoCA
After the certificate is replaced, all Network Agents connected to Administration Server through SSL lose their connection. To restore it, use the command-line klmover utility.
To avoid losing the Network Agents connections, use the following commands:
klsetsrvcert -t CR -i <inputfile> -p <password> -o NoCA
klsetsrvcert -f "DD-MM-YYYY hh:mm"
where "DD-MM-YYYY hh:mm
" is the date 3–4 weeks later than the current date. The time shift for changing the certificate to the new one will allow the new certificate to be distributed to all Network Agents.