Replacing the Administration Server certificate by using the klsetsrvcert utility

To replace the Administration Server certificate:

From the command line, run the following utility:

klsetsrvcert [-t <type> {-i <inputfile> [-p <password>] [-o <chkopt>] | -g <dnsname>}][-f <time>][-r <calistfile>][-l <logfile>]

You do not need to download the klsetsrvcert utility. It is included in the Kaspersky Security Center Linux distribution kit. It is not compatible with previous Kaspersky Security Center Linux versions.

The description of the klsetsrvcert utility parameters is presented in the table below.

Values of the klsetsrvcert utility parameters

Parameter

Value

-t <type>

Type of certificate to be replaced. Possible values of the <type> parameter:

  • C—Replace the common certificate for ports 13000 and 13291.
  • CR—Replace the common reserve certificate for ports 13000 and 13291.

-f <time>

Schedule for changing the certificate, using the format "DD-MM-YYYY hh:mm" (for ports 13000 and 13291).

Use this parameter if you want to replace the common or common reserve certificate before it expires.

Specify the time when managed devices must synchronize with Administration Server on a new certificate.

-i <inputfile>

Container with the certificate and a private key in the PKCS#12 format (file with the .p12 or .pfx extension).

-p <password>

Password used for protection of the p12 container.

The certificate and a private key are stored in the container, therefore, the password is required to decrypt the file with the container.

-o <chkopt>

Certificate validation parameters (semicolon separated).

To use a custom certificate without signing permission, specify -o NoCA in the klsetsrvcert utility. This is useful for certificates issued by a public CA.

To change encryption key length for certificate types C or CR, specify -o RsaKeyLen:<key length> in the klsetsrvcert utility, where <key length> parameter is the required key length value. Otherwise, the current certificate key length is used.

-g <dnsname>

A new certificate will be created for the specified DNS name.

-r <calistfile>

Trusted root Certificate Authority list, format PEM.

-l <logfile>

Results output file. By default, the output is redirected into the standard output stream.

For example, to specify the custom Administration Server certificate, use the following command:

klsetsrvcert -t C -i <inputfile> -p <password> -o NoCA

After the certificate is replaced, all Network Agents connected to Administration Server through SSL lose their connection. To restore it, use the command-line klmover utility.

To avoid losing the Network Agents connections, use the following commands:

  1. To install the new certificate,

    klsetsrvcert -t CR -i <inputfile> -p <password> -o NoCA

  2. To specify the date when the new certificate will be applied,

    klsetsrvcert -f "DD-MM-YYYY hh:mm"

where "DD-MM-YYYY hh:mm" is the date 3–4 weeks later than the current date. The time shift for changing the certificate to the new one will allow the new certificate to be distributed to all Network Agents.

See also:

Scenario: Specifying the custom Administration Server certificate

Page top