For working with public Kaspersky Next XDR Expert services, you can use self-signed or custom certificates. By default, Kaspersky Next XDR Expert uses self-signed certificates.
Certificates are required for the following Kaspersky Next XDR Expert public services:
The list of FQDNs of public Kaspersky Next XDR Expert services, for which self-signed or custom certificates are defined during the deployment, is specified in the pki_fqdn_list installation parameter.
A custom certificate must be specified as a file in the PEM format that contains the complete certificate chain (or only one certificate) and an unencrypted private key.
You can specify the intermediate certificate from your organization's private key infrastructure (PKI). Custom certificates for public Kaspersky Next XDR Expert services are issued from this custom intermediate certificate. Alternatively, you can specify leaf certificates for each of the public services. If leaf certificates are specified only for a part of the public services, then self-signed certificates are issued for the other public services.
For the console.<smp_domain> and api.<smp_domain> public services, you can specify custom certificates only before the deployment in the configuration file. Specify the intermediate_bundle and intermediate_enabled installation parameters to use the custom intermediate certificate. 
If you want to use the leaf custom certificates to work with the public Kaspersky Next XDR Expert services, specify the corresponding console_bundle, admsrv_bundle, and api_bundle installation parameters. Set the intermediate_enabled parameter to false and do not specify the intermediate_bundle parameter.
For the admsrv.<smp_domain> service, you can replace the issued Administration Server self-signed certificate with a custom certificate by using the klsetsrvcert utility.
Automatic rotation of certificates is not supported. Take into account the validity term of the certificate, and then update the certificate when it expires.
To update custom certificates:
intermediate_bundle installation parameter. If you use the leaf custom certificates for each of the public services, specify the console_bundle, admsrv_bundle, and api_bundle installation parameters../kdt apply -i <path_to_configuration_file>
Custom certificates are updated.
Page top