Replacing the Administration Server certificate by using the klsetsrvcert utility

To replace the Administration Server certificate:

From the command line, run the following utility:

klsetsrvcert [-t <certificate type> {-i <path to new certificate> [-p <password>] [-o <validation parameters>] | -g <dns name>}][-f <replacement time>][-r <root certificates>][-l <log file path>]

You do not need to download the klsetsrvcert utility. It is included in the Kaspersky Security Center Linux distribution kit. It is not compatible with previous Kaspersky Security Center Linux versions.

The description of the klsetsrvcert utility parameters is presented in the table below.

Values of the klsetsrvcert utility parameters

Parameter	Value
`-t <certificate type>`	Type of certificate to be replaced. Possible values of the `<certificate type>` parameter: `C`—Replace the common certificate for ports 13000 and 13291. `CR`—Replace the common reserve certificate for ports 13000 and 13291.
`-f <replacement time>`	Schedule for changing the certificate, using the format "DD-MM-YYYY hh:mm" (for ports 13000 and 13291). Use this parameter if you want to replace the common certificate with the common reserve certificate before the common certificate expires. Specify the time when managed devices must synchronize with Administration Server on a new certificate.
`-i <path to new certificate>`	Container with the certificate and a private key in the PKCS#12 format (file with the .p12 or .pfx extension).
`-p <password>`	Password used for protection of the p12 container. The certificate and a private key are stored in the container, therefore, the password is required to decrypt the file with the container.
`-o <validation parameters>`	Certificate validation parameters (semicolon separated). To use a custom certificate without signing permission, specify `-o NoCA` in the klsetsrvcert utility. This is useful for certificates issued by a public CA. To change encryption key length for certificate types C or CR, specify `-o RsaKeyLen:<key length>` in the klsetsrvcert utility, where `<key length>` parameter is the required key length value. Otherwise, the current certificate key length is used.
`-g <dns name>`	A new certificate will be created for the specified DNS name.
`-r <root certificates>`	Trusted root Certificate Authority list, format PEM.
`-l <log file path>`	Results output file. By default, the output is redirected into the standard output stream.

For example, to specify the custom Administration Server certificate, use the following command:

klsetsrvcert -t C -i <path to new certificate> -p <password> -o NoCA

After the certificate is replaced, all Network Agents connected to Administration Server through SSL lose their connection. To restore it, use the command-line klmover utility.

To avoid losing the Network Agents connections, use the following commands:

To install the new certificate,
klsetsrvcert -t CR -i <path to new certificate> -p <password> -o NoCA
To specify the date when the new certificate will be applied,
klsetsrvcert -f "DD-MM-YYYY hh:mm"

where "DD-MM-YYYY hh:mm" is the date 3–4 weeks later than the current date. The time shift for changing the certificate to the new one will allow the new certificate to be distributed to all Network Agents.