The Kaspersky Security distribution kit includes certificate_manager
, a tool for managing certificates of the Integration Server and SVMs. The Integration Server SSL certificate is used when establishing a secure connection with the Integration Server and for encrypting the communication channel between the Protection Server and Light Agent.
The certificate management tool lets you:
When the Integration Server certificate is replaced, the SVM certificate used to encrypt the communication channel between the Light Agent and the Protection Server is automatically replaced. A new SVM certificate is created based on the Integration Server certificate.
Certificates may need to be replaced in the following cases:
You can replace the Integration Server certificate with a new certificate created using the tool or using third-party tools. If you want to use an Integration Server certificate created using third-party tools, make sure that the new certificate meets the tool's certificate requirements.
The certificate_manager
tool is located in the Integration Server installation folder: %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA\.
To use the tool, you need administrator rights in the operating system.
To create an Integration Server certificate using the tool:
On the device where the Integration Server is installed, run the following command:
%ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA\certificate_manager.exe create-self-signed-certs --outputFolder <
path to the folder with the certificate
> [--keySize <
2048 or 4096
>] [--quiet]
where:
<path to folder with certificate> is the path to the folder where the created certificate will be placed. The folder must be located on the device where the Integration Server is installed.
--keySize <
2048 or 4096
>
is the certificate key length. Optional parameter. If this parameter is not specified, 4096 is used by default.
--quiet
is an optional parameter. If this parameter is specified, the input console window is closed after the command is executed, otherwise the console window remains open.
It is recommended to protect the certificate from unauthorized access. For example, you can place the certificate in a secure folder.
The command causes the tool to create an Integration Server certificate (in PFX format) and place it in the specified folder.
To replace the Integration Server and SVM certificates:
On the device where the Integration Server is installed, run the following command:
% ProgramFiles (x86)%\Kaspersky Lab\Kaspersky VIISLA\certificate_manager.exe replace --certificatePath <
path to certificate
>
where <path to certificate> is the path to the Integration Server certificate (file in PFX format).
As a result of executing the command, the tool performs the following actions:
After replacing the Integration Server and SVM certificates, you need to update all Light Agent policies and SVM policies so that they receive the public key of the new certificate.
Trace files may be created while the certificate management tool is running.
Page top