Managing the SSL certificate of the cluster node
July 3, 2024
ID 234112
By default, Kaspersky Secure Mail Gateway 2.0 MR1 uses a self-signed certificate automatically generated during cluster node deployment as the SSL certificate of the cluster node. When logging in to the application web interface with this certificate, the browser displays an insecure connection warning. For convenience and improved security, when using the web interface, you can replace the default certificate of the node with a certificate issued by a trusted certification authority.
To replace the SSL certificate of a cluster node, you will need the following files:
- A certificate file in the X.509 format with the PEM extension or a container file with a certificate chain in the X.509 format with the PEM extension
- An RSA private key file with the PEM extension (without a passphrase)
You can prepare the private key file and the certificate on your own, or alternatively you can obtain ready-to-use files from a certification authority.
Steps involved in replacing the SSL certificate of the cluster node and creating the private key and certificate files on your own
- Creating a private key file and a Certificate Signing Request
You will receive one of the following files from the certification authority:
- Signed X.509 certificate file with the CER or CRT extension
- PKCS#7 certificate chain file with the P7B extension The file includes the website certificate signed at your request as well as certificates of intermediate certificate authorities.
- Converting obtained files into the PEM encoding
Depending on the type of the file obtained at the previous step, do one of the following:
- Replacing the SSL certificate of a cluster node
Steps involved in replacing the SSL certificate of the cluster node using private key and certificate files provided by a certification authority
- Obtaining private key and certificate files from the certification authority
The private key and certificates are provided as a PFX container (PKCS#12 format, PFX or P12 extension).
If your organization uses the Active Directory Certification Services service as the certification authority, use the Web Server template to create the certificate. Save the result as a certificate chain in the DER encoding.
- Extracting certificate and private key files from a PFX container
- Replacing the SSL certificate of a cluster node