Managing Kaspersky Thin Client certificates

The TLS encryption protocol ensures data transfer security using SSL connection certificates. An SSL connection certificate (hereinafter referred to as an "SSL certificate" or simply "certificate") is a block of data containing information about the certificate owner, the owner's public key, and the start and end dates of certificate validity.

Kaspersky Thin Client does not check to see if the certificate is on the Certificate Revocation List.

Kaspersky Thin Client uses the following certificates:

• Certificate for connecting Kaspersky Thin Client to Kaspersky Security Center.
• Certificate for authenticating the RDP server when connecting to a remote desktop.
• Certificate for authenticating the connection broker when connecting to a remote desktop managed by Basis.WorkPlace.
• Certificate for connecting to the log server.

We recommend updating certificates in the following cases:

• Current certificates have been compromised.
• Certificates have expired.
• Certificates need to be regularly updated in accordance with the information security requirements of your enterprise.

Kaspersky Thin Client uses a mobile certificate for connecting to Kaspersky Security Center. A mobile certificate is created automatically when installing Kaspersky Security Center. For details on how to reissue a mobile certificate, please refer to the Reissuing the Web Server certificate section of the Kaspersky Security Center Online Help Guide.

To securely connect Kaspersky Thin Client to a remote desktop via RDP, to a connection broker for remote desktops managed by Basis.WorkPlace, or to a log server, you must add the appropriate security certificate. All added certificates are saved in the system store of Kaspersky Thin Client.

For a thin client that is not in an administration group and is not managed through the Kaspersky Security Center Web Console, you can manually add a certificate in the Kaspersky Thin Client interface in the following situations:

• When connecting Kaspersky Thin Client to Kaspersky Security Center for the first time.
• When connecting to a remote desktop managed by Basis.WorkPlace or via RDP for the first time.
• When connecting to a log server for the first time.

For a thin client that is added to an administration group and is managed through the Kaspersky Security Center Web Console, the Kaspersky Security Center administrator adds certificates through the Kaspersky Security Center Web Console interface. In this case, you will be able to connect only to the servers for which the administrator added a certificate. If the certificate added to the policy is a root certificate, the connection is established based on the server domain name only.

If the Kaspersky Security Center administrator replaces the certificate for connecting to Kaspersky Security Center, some situations may require confirmation of the certificate replacement to connect to Kaspersky Security Center. For example, this may be required if the thin client was turned off for a long time, has not synchronized with Kaspersky Security Center, and the certificate previously used to connect to Kaspersky Security Center has expired.

To confirm replacement of the certificate for connecting to Kaspersky Security Center:

1. Turn on Kaspersky Thin Client.
2. In the Certificate replacement required window that opens, view and memorize the confirmation code and provide it to the Kaspersky Security Center administrator. The administrator contact details are provided in the Certificate replacement required window. The Kaspersky Security Center administrator sends you a certificate replacement code in response.
3. Click Next.
4. In the Certificate replacement code window that opens, enter the code provided by the Kaspersky Security Center administrator and click the Confirm button.

As a result, the new certificate for connecting to Kaspersky Security Center will be saved in the Kaspersky Thin Client certificate store and will be subsequently used to connect to Kaspersky Security Center.