How to install a custom certificate for the Integration Server in Kaspersky Security for Virtualization 6.x Agentless
When you install the Integration Server, the application generates a local self-signed certificate which is used by the server when establishing SSL connections.
To replace this certificate, complete the steps below:
Step 1. Install the new certificate into the system
You can install the certificate in one of the following ways:
- Use the command to import the certificate to the storage of the local computer:
certutil -importpfx [pfx file] -p [password]
Example:
certutil -importpfx -p "" cert.p12
- Import the certificate using the MMC console.
The certificate must be installed to the storage on a local computer. The certificate will remain in the system if you remove the Integration Server.
Step 2. Unbind the old Integration Server certificate from the port
How to view the parameters of the certificate binding
Before removing the old certificate, you can view the parameters of its binding to Integration Server and save them. The parameters include IP:port, Certificate Hash and Application ID. They can be used to restore initial settings. To view the parameters, run the following command:
netsh http show sslcert
Example of the command execution:
SSL Certificate bindings:
-------------------------
IP:port : 10.20.30.40:8078
Certificate Hash : 7b0ef176aa839536686e8484aad0a44058519662
Application ID : {e3aa9184-8518-4486-879a-2c41fd88dba3}
Certificate Store Name : My
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Enabled
IP:port : 0.0.0.0:8070
Certificate Hash : debd6c3c6180397e2c0f56ff27408a259ec59454
Application ID : {5ca18ed0-cbe9-418c-aede-f63f0324113c}
Certificate Store Name : My
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Enabled
How to remove the certificate binding to Integration Server
Run the command:
netsh http delete sslcert ipport=[iport]
Example:
netsh http delete sslcert ipport=0.0.0.0:8070
Step 3. Bind the new certificate to the network port
To bind the new certificate to the Integration Server port, run the following command:
netsh http add sslcert ipport=[ipport] certhash=[certificate hash] appid={c1e1e87f-1818-4ac3-897b-a8e10f790659}
Where the parameters represent:
- certhash — certificate fingerprint
- ipport — IP address and port
To perform binding on all network adapters, use 0.0.0.0 for the IP address parameter. The port number must match the one specified during the installation of the Integration Server.
Example:
netsh http add sslcert ipport=0.0.0.0:8000 certhash=0000000000003ed9cd0c315bbb6dc1c08da5e6 appid={c1e1e87f-1818-4ac3-897b-a8e10f790659}
The certificate must contain a private key.
Step 4. Restart the Integration Server
To restart the Integration Server:
- Open the service administration console. To do so, go to Control Panel → Administrative Tools → Services.
- Select Kaspersky Security for Virtualization Integration Server.
- Open the shortcut menu and select Restart.
The Integration Server will restart and the new certificate for the Integration Server will be installed.