Replacing the Integration Server and SVM certificates
July 3, 2024
ID 97888
The Kaspersky Security distribution kit includes certificate_manager, a tool for managing certificates of the Integration Server and SVMs. The Integration Server SSL certificate is used when establishing a secure connection with the Integration Server and for encrypting the communication channel between the Protection Server and Light Agent.
The certificate management tool lets you:
- Create an Integration Server SSL certificate used to establish a secure connection to the Integration Server.
- Replace the self-signed Integration Server certificate installed during solution deployment.
When the Integration Server certificate is replaced, the SVM certificate used to encrypt the communication channel between the Light Agent and the Protection Server is automatically replaced. A new SVM certificate is created based on the Integration Server certificate.
Certificates may need to be replaced in the following cases:
- When upgrading the solution in order to replace a previously installed certificate with a more secure one.
- If the used certificate has expired or has been compromised.
- If the IP address or domain name of the device on which the Integration Server is installed has changed.
You can replace the Integration Server certificate with a new certificate created using the tool or using third-party tools. If you want to use an Integration Server certificate created using third-party tools, make sure that the new certificate meets the tool's certificate requirements.
The certificate_manager tool is located in the Integration Server installation folder: %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA\.
To use the tool, you need administrator rights in the operating system.
To create an Integration Server certificate using the tool:
On the device where the Integration Server is installed, run the following command:
%ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA\certificate_manager.exe create-self-signed-certs --outputFolder <path to the folder with the certificate> [--keySize <2048 or 4096>] [--quiet]
where:
<path to folder with certificate> is the path to the folder where the created certificate will be placed. The folder must be located on the device where the Integration Server is installed.
--keySize <2048 or 4096> is the certificate key length. Optional parameter. If this parameter is not specified, 4096 is used by default.
--quiet is an optional parameter. If this parameter is specified, the input console window is closed after the command is executed, otherwise the console window remains open.
It is recommended to protect the certificate from unauthorized access. For example, you can place the certificate in a secure folder.
The command causes the tool to create an Integration Server certificate (in PFX format) and place it in the specified folder.
To replace the Integration Server and SVM certificates:
On the device where the Integration Server is installed, run the following command:
% ProgramFiles (x86)%\Kaspersky Lab\Kaspersky VIISLA\certificate_manager.exe replace --certificatePath <path to certificate>
where <path to certificate> is the path to the Integration Server certificate (file in PFX format).
As a result of executing the command, the tool performs the following actions:
- Creates an SVM certificate based on the certificate located in the specified folder.
- Replaces the previously installed Integration Server certificate and SVM certificate with new ones.
- Restarts the Integration Server service.
After replacing the Integration Server and SVM certificates, you need to update all Light Agent policies and SVM policies so that they receive the public key of the new certificate.
Trace files may be created while the certificate management tool is running.
