Managing the SSL certificate of the cluster node

By default, Kaspersky Secure Mail Gateway 2.0 uses a self-signed certificate automatically generated during cluster node deployment as the SSL certificate of the cluster node. When logging in to the program web interface with this certificate, the browser displays an insecure connection warning. For better convenience and security when using the web interface, you can replace the default certificate of the node with a certificate issued by a trusted certification authority.

To replace the SSL certificate of a cluster node, you will need the following files:

• A certificate file in the X.509 format with the PEM extension or a container file with a certificate chain in the X.509 format with the PEM extension
• An RSA private key file with the PEM extension (without a passphrase)

You can prepare the private key file and the certificate on your own, or alternatively you can obtain ready-to-use files from a certification authority.

Steps involved in replacing the SSL certificate of the cluster node and creating the private key and certificate files on your own

1. Creating a private key file and a Certificate Signing Request

   You will receive one of the following files from the certification authority:

   • Signed X.509 certificate file with the CER or CRT extension
   • PKCS#7 certificate chain file with the P7B extension The file includes the website certificate signed at your request as well as certificates of intermediate certificate authorities.
2. Converting obtained files into the PEM encoding

   Depending on the type of the file obtained at the previous step, do one of the following:

   • Convert a certificate from the DER encoding to the PEM encoding.
   • Extract the certificate chain from a PKCS#7 container.
3. Replacing the SSL certificate of a cluster node

Steps involved in replacing the SSL certificate of the cluster node using private key and certificate files provided by a certification authority

1. Obtaining private key and certificate files from the certification authority

   The private key and certificates are provided as a PFX container (PKCS#12 format, PFX or P12 extension).

   If your organization uses the Active Directory Certification Services service as the certification authority, use the Web Server template to create the certificate. Save the result as a certificate chain in the DER encoding.

2. Extracting certificate and private key files from a PFX container
3. Replacing the SSL certificate of a cluster node

In this section Creating an SSL certificate signature request file Converting a certificate from the DER encoding to the PEM encoding Extracting the certificate chain from a PKCS#7 container Extracting certificate and private key files from a PFX container Replacing the SSL certificate of a cluster node

Page top