Integration with Public Key Infrastructure (hereinafter referred to as PKI) is primarily intended for simplifying the issuance of domain user certificates by Administration Server. Following integration, certificates are issued automatically.
The minimum supported PKI server version is Windows Server 2008.
The administrator can assign a domain certificate for a user in Administration Console. This can be done by using one of the following methods:
Assign the user a special (customized) certificate from a file in the Certificate installation wizard.
Perform integration with PKI and assign PKI to act as the source of certificates for a specific type of certificates or for all types of certificates.
General principle of integration with PKI for issuance of domain user certificates
Please note the following:
The settings of integration with PKI provide you the possibility to specify the default template for all types of certificates. Note that the rules for issuance of certificates (available in the workspace of the Mobile Device Management / Certificates folder by clicking the Configure certificate issuance rules button) allow you to specify an individual template for every type of certificates.
A special Enrollment Agent (EA) certificate must be installed on the device with Administration Server, in the certificates repository of the account under which integration with PKI is performed. The Enrollment Agent (EA) certificate is issued by the administrator of the domain's CA (Certificate Authority).
The account under which integration with PKI is performed must meet the following criteria:
It is a domain user.
It is a local administrator of the device with Administration Server from which integration with PKI is initiated.
It has the right to Log On As Service.
The device with Administration Server installed must be run at least once under this account to create a permanent user profile.
To create a permanent user profile, log on at least once under the configured user account on the device with Administration Server installed. In this user's certificate repository on the Administration Server device, install the Enrollment Agent certificate provided by domain administrators.
Configuring integration with PKI
To configure integration with the public keys infrastructure:
In the console tree, expand the Mobile Device Management folder and select the Certificates subfolder.
In the workspace, click the Certificate type button to open the Integration with PKI section of the Certificate issuance rules window.
The Integration with PKI section of the Certificate issuance rules window opens.
Select the Integrate issuance of certificates with PKI check box.
In the Account field, specify the name of the user account to be used for integration with the public key infrastructure.
In the Password field, enter the domain password for the account.
In the Certificate template name in PKI system list, select the certificate template that will be used for the issuance of certificates to domain users.
A dedicated service is run in Kaspersky Endpoint Security under the specified user account. This service is responsible for issuing users' domain certificates. The service is run when the list of certificate templates is loaded by clicking the Refresh list button or when a certificate is generated.
When connecting a non-domain user's mobile device (running either Android or iOS) to Kaspersky Security Center, the attempt to issue a certificate may fail.
Click OK to save the settings.
Following integration, certificates are issued automatically.