Specifying the Administration Server certificate

If necessary, you can assign a special certificate for Administration Server by using the command-line utility klsetsrvcert.

When the certificate is replaced, all Network Agents that were previously connected to Administration Server through SSL lose their connection and return "Administration Server authentication error". To specify the new certificate and restore the connection, you can use the klmover utility.

To specify the new certificate and restore the connection:

From the command line, run the following command:

klmover [-address <server address>] [-pn <port number>] [-ps <SSL port number>] [-nossl] [-cert <path to certificate file>]

Administration Server certificate is often added to Network Agent packages when they are created. If this is the case, replacing the Administration Server certificate by means of the klsetsrvcert utility will not result in replacement of the Administration Server certificate in existing Network Agent packages.

It is useful to replace the certificate immediately after installation of Administration Server and before the Quick Start Wizard finishes.

If you specify a validity term longer than 397 days for the Administration Server certificate, the web browser returns an error.

In some cases, certificate replacement is required.

The certificate specified with the utility must include the entire chain of trust and must meet the requirements listed in the table below.

Certificates issued by a public certification authority (CA) do not have the certificate signing permission, which is mandatory for the Administration Server certificate, and therefore cannot be used.

Requirements for Administration Server certificates

Certificate type

Requirements

Comments

Common certificate, Common reserve certificate ("C", "CR")

Minimum key length: 2048.

Basic constraints:

  • CA: true
  • Path Length Constraint: None

    Key Usage:

  • Digital signature
  • Certificate signing
  • Key encipherment
  • CRL Signing

    Extended Key Usage (optional): server authentication, client authentication.

Extended Key Usage parameter is optional.

Path Length Constraint value may be an integer different from "None", but not less than 1.

Mobile certificate, Mobile reserve certificate ("M", "MR")

Minimum key length: 2048.

Basic constraints:

  • CA: true
  • Path Length Constraint: None

    Key Usage:

  • Digital signature
  • Certificate signing
  • Key encipherment
  • CRL Signing

    Extended Key Usage (optional): server authentication.

Extended Key Usage parameter is optional.

Path Length Constraint value may be an integer different from "None", if Common certificate has a Path Length Constraint value not less than 1.

Certificate CA for auto-generated user certificates ("MCA")

Minimum key length: 2048.

Basic constraints:

  • CA: true
  • Path Length Constraint: None

    Key Usage:

  • Digital signature
  • Certificate signing
  • Key encipherment
  • CRL Signing

    Extended Key Usage (optional): server authentication, client authentication.

Extended Key Usage parameter is optional.

Path Length Constraint value may be an integer different from "None", if Common certificate has a Path Length Constraint value not less than 1.

To replace the certificate, you must create a new one (for example, by means of the organization's PKI) in PKCS#12 format and pass it to the klsetsrvcert utility (see the table below for the values of the utility parameters).

Utility command-line syntax:

klsetsrvcert [--stp <instid>][-t <type> {-i <inputfile> [-p <password>] [-o <chkopt>] | -g <dnsname>}][-f <time>][-r <calistfile>][-l <logfile>]

Values of the klsetsrvcert utility parameters

Parameter

Value

--stp <instid>

Instance identifier.

-t <type>

Type of certificate to be replaced. Possible values of the <type> parameter:

  • C—Replace the certificate for ports 13000 and 13291
  • CR—Replace the reserve certificate for ports 13000 and 13291
  • M—Replace the certificate for mobile devices on port 13292
  • MR—Replace the mobile reserve certificate for port 13292
  • MCA—Mobile client CA for auto-generated user certificates

-f <time>

Time schedule of changing the certificate, format "DD-MM-YYYY hh:mm" (for ports 13000 and 13291).

-i <inputfile>

Container with the certificate in PKCS#12 format (file with the .p12 or .pfx extension).

-p <password>

Password used for protection of the p12 container with the certificate.

-o <chkopt>

Certificate validation parameters (semicolon separated).

-g <dnsname>

A new certificate will be created for the specified DNS name.

-r <calistfile>

Trusted root Certificate Authority list, format PEM.

-l <logfile>

Results output file. By default, the output is redirected into the standard output stream.

Page top