Scenario: Specifying the custom Administration Server certificate

You can assign the custom Administration Server certificate, for example, for better integration with the existing public key infrastructure (PKI) of your enterprise or for custom configuration of the certificate fields. It is useful to replace the certificate immediately after installation of Administration Server and before the Quick Start Wizard finishes.

The maximum validity period for any of the Administration Server certificates must be 397 days or less.

Prerequisites

The new certificate must be created in the PKCS#12 format (for example, by means of the organization's PKI) and must be issued by trusted certification authority (CA). Also, the new certificate must include the entire chain of trust and a private key, which must be stored in the file with the pfx or p12 extension. For the new certificate, the requirements listed in the table below must be met.

Requirements for the Administration Server certificates

Certificate type	Requirements
Common certificate, common reserve certificate ("C", "CR")	Minimum key length: 2048. Basic constraints: CA: true Path Length Constraint: None Path Length Constraint value may be an integer different from "None," but not less than 1. Key Usage: Digital signature Certificate signing Key encryption CRL Signing Extended Key Usage (EKU): server authentication and client authentication. The EKU is optional, but if your certificate contains it, the server and client authentication data must be specified in the EKU.
Mobile certificate, mobile reserve certificate ("M", "MR")	Minimum key length: 2048. Basic constraints: CA: true Path Length Constraint: None Path Length Constraint value may be an integer different from "None" if the common certificate has a Path Length Constraint value not less than 1. Key Usage: Digital signature Certificate signing Key encryption CRL Signing Extended Key Usage (EKU): server authentication. The EKU is optional, but if your certificate contains it, the server authentication data must be specified in the EKU.
Certificate CA for auto-generated user certificates ("MCA")	Minimum key length: 2048. Basic constraints: CA: true Path Length Constraint: None Path Length Constraint value may be an integer different from "None" if the Common certificate has a Path Length Constraint value not less than 1. Key Usage: Digital signature Certificate signing Key encryption CRL Signing Extended Key Usage (EKU): client authentication. The EKU is optional, but if your certificate contains it, the client authentication data must be specified in the EKU.

Certificate type

Requirements

Common certificate, common reserve certificate ("C", "CR")

Minimum key length: 2048.

Basic constraints:

CA: true
Path Length Constraint: None
Path Length Constraint value may be an integer different from "None," but not less than 1.

Key Usage:

Digital signature
Certificate signing
Key encryption
CRL Signing

Extended Key Usage (EKU): server authentication and client authentication. The EKU is optional, but if your certificate contains it, the server and client authentication data must be specified in the EKU.

Mobile certificate, mobile reserve certificate ("M", "MR")

Minimum key length: 2048.

Basic constraints:

CA: true
Path Length Constraint: None
Path Length Constraint value may be an integer different from "None" if the common certificate has a Path Length Constraint value not less than 1.

Key Usage:

Digital signature
Certificate signing
Key encryption
CRL Signing

Extended Key Usage (EKU): server authentication. The EKU is optional, but if your certificate contains it, the server authentication data must be specified in the EKU.

Certificate CA for auto-generated user certificates ("MCA")

Minimum key length: 2048.

Basic constraints:

CA: true
Path Length Constraint: None
Path Length Constraint value may be an integer different from "None" if the Common certificate has a Path Length Constraint value not less than 1.

Key Usage:

Digital signature
Certificate signing
Key encryption
CRL Signing

Extended Key Usage (EKU): client authentication. The EKU is optional, but if your certificate contains it, the client authentication data must be specified in the EKU.

Certificates issued by a public CA do not have the certificate signing permission. To use such certificates, make sure that you installed Network Agent version 13 or later on distribution points or connection gateways in your network. Otherwise, you will not be able to use certificates without the signing permission.

Stages

Specifying the Administration Server certificate proceeds in stages:

Replacing the Administration Server certificate
Use the command-line klsetsrvcert utility for this purpose.
Specifying a new certificate and restoring connection of Network Agents to the Administration Server
When the certificate is replaced, all Network Agents that were previously connected to Administration Server through SSL lose their connection and return "Administration Server authentication error." To specify the new certificate and restore the connection, use the command-line klmover utility.
Specifying a new certificate in the settings of Kaspersky Security Center Web Console
After you replace the certificate, specify it in the settings of Kaspersky Security Center Web Console. Otherwise, Kaspersky Security Center Web Console will not be able to connect to the Administration Server.

Results

When you finish the scenario, the Administration Server certificate is replaced and the server is authenticated by Network Agents on the managed devices.