Integration with Public Key Infrastructure

You can integrate the issuance of certificates with Microsoft Certification Authority (CA) via Public Key Infrastructure (PKI). Integration with PKI is primarily intended for simplifying the issuance of domain user certificates by Administration Server. Following integration, certificates are issued automatically.

You can perform the PKI integration with specified settings and assign PKI to act as the source of certificates for specific types of certificates. The PKI integration settings specified in the Issuance rules let you set the individual default template for all types of certificates.

The specifics of using PKI integration to issue certificates:

• The PKI integration is disabled by default. You can enable it using the Integrate issuance of certificates with Microsoft Certification Authority (CA) via PKI toggle switch. For detailed information on enabling PKI and configuring its settings, refer to the Configuring certificate issuance rules section.
• The certificate issuance is carried out using Network Agent Windows, which enables the integration between Administration Server and Microsoft CA. Since there can be multiple devices with Network Agent installed, you can specify the device that will connect to Microsoft CA in the Issuance rules. This device must have an Enrollment Agent (EA) certificate installed in the certificates repository of the account under which the integration with PKI is performed. The certificate is issued by the administrator of the domain's CA.
• The account under which integration with PKI is performed must be a domain user and have the right to Log On As Service.
• Kaspersky Security Center can only work with one PKI (Microsoft CA) integration at a time.

For detailed information on configuring integration with PKI to issue certificates, refer to the Configuring certificate issuance rules section.

Configuring integration with PKI through Network Agent Windows

Linux-based domain workstations do not support native integration with PKI. Therefore, to enable integration between Administration Server and Microsoft CA, you need to configure an intermediate Windows host with Network Agent installed that will address domain requests to the CA.

To configure Microsoft Active Directory and CA for PKI integration:

1. Create a domain account under which the integration with PKI will be performed. This account will be used for transmitting requests to Microsoft CA to issue certificates.
   1. Run secpol.msc.
   2. In the window that opens, click Local Policies → User Rights Assignment → Allow log as a service to provide the Log on as Service permission to the domain account.
2. Grant the domain account the permission to work with CA.
   1. On the server side with the CA, open the certsrv.msc CA snap-in.
   2. Choose the CA, and then click Properties.
   3. On the Security tab, click Add, and then specify the previously created domain account.
   4. Provide the Issue and Manage certificates permission to the domain account.
   5. Apply the changes.
3. Add the Enrollment Agent certificate template to the list of certificates to be issued:
   1. In the CA snap-in, right-click Certificate Templates → New → Certificate Template to Issue.
   2. Select the Enrollment Agent template, and then click OK.
   3. Make sure the domain user has an access to the certificate template:
      1. In the certsrv.msc snap-in, click Certificate Templates → Manage.
      2. In the window that opens, click Properties → Security.
      3. In the window that opens, check if the user has a Read & Enroll right.

To configure PKI integration using an intermediate Windows host with Network Agent installed:

1. Prepare a server that will act as an intermediary between Kaspersky Security Center Linux and CA.

   It must be a Windows server in the same domain as the CA.

2. Grant the previously created domain account the permission to access an intermediate Windows server.
3. Log in to the server under the domain account to create a permanent user profile and install the Enrollment Agent certificate:
   1. Log in to the Windows host where Network Agent will be deployed.
   2. Run certmgr.msc as an administrator.
   3. Click Personal → All Tasks → Request New Certificate... to launch the Certificate Enrollment wizard.

      Follow the steps of the wizard with the default settings.

   4. At the Request Certificates step, select the Enrollment Agent certificate type, and then click Enroll.

      After the enrollment status is set to "Succeeded", click Finish.

      If errors occur, wait for policies to be applied on the host or check that the user rights in the Permissions for Domain Controllers settings are configured correctly.

4. Provide the Log on as Service permission to the domain account on the Windows host.
   1. Run secpol.msc.
   2. In the window that opens, click Local Policies → User Rights Assignment → Allow log as a service.
5. Install Network Agent Windows. For detailed information on the installation, refer to the Kaspersky Security Center Help.
   • Install Network Agent with the default values, except for the Administration Server address. Make sure that port 13000 is open on the host with Kaspersky Security Center installed.
   • Make sure that the connection with the Windows host is established (in Kaspersky Security Center Web Console, click Discovery & deployment → Unassigned devices).
   • Wait for 15 minutes until the first scheduled synchronization of Network Agent with Kaspersky Security Center is established.

Page top