Replacing the Integration Server and SVM certificates
January 25, 2024
ID 97888
The Kaspersky Security distribution kit includes certificate_manager, a utility for managing certificates of the Integration Server and SVMs. The Integration Server SSL certificate is used when establishing a secure connection with the Integration Server and for encrypting the communication channel between the Protection Server and Light Agent.
The certificate management utility lets you:
- Create an Integration Server SSL certificate used to establish a secure connection to the Integration Server.
- Replace the self-signed Integration Server certificate installed during solution deployment.
When the Integration Server certificate is replaced, the SVM certificate used to encrypt the communication channel between the Light Agent and the Protection Server is automatically replaced. A new SVM certificate is created based on the Integration Server certificate.
Certificates may need to be replaced in the following cases:
- When upgrading the solution in order to replace a previously installed certificate with a more secure one.
- If the used certificate has expired or has been compromised.
- If the IP address or domain name of the device on which the Integration Server is installed has changed.
You can replace the Integration Server certificate with a new certificate created using the utility or using third-party tools. If you want to use an Integration Server certificate created using third-party tools, make sure that the new certificate meets the utility's certificate requirements.
The certificate_manager utility is located in the Integration Server installation folder: %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA\.
Use of the utility requires administrator rights in the operating system.
To create an Integration Server certificate using the utility:
On the device where the Integration Server is installed, run the following command:
% ProgramFiles (x86)%\Kaspersky Lab\Kaspersky VIISLA\certificate_manager.exe create-self-signed-certs --outputFolder <path to certificate folder>
where <path to folder with certificate> is the path to the folder where the created certificate will be placed. The folder must be located on the device where the Integration Server is installed.
It is recommended to protect the certificate from unauthorized access. For example, you can place the certificate in a secure folder.
The command causes the utility to create an Integration Server certificate (in PFX format) and place it in the specified folder.
To replace the Integration Server and SVM certificates:
On the device where the Integration Server is installed, run the following command:
% ProgramFiles (x86)%\Kaspersky Lab\Kaspersky VIISLA\certificate_manager.exe replace --certificatePath <path to certificate>
where <path to certificate> is the path to the Integration Server certificate (file in PFX format).
As a result of executing the command, the utility performs the following actions:
- Creates an SVM certificate based on the certificate located in the specified folder.
- Replaces the previously installed Integration Server certificate and SVM certificate with new ones.
- Restarts the Integration Server service.
After replacing the Integration Server and SVM certificates, you need to update all Light Agent policies and SVM policies so that they receive the public key of the new certificate.
Trace files may be created while the certificate management utility is running.
