Kaspersky Secure Mobility Management

Reissuing the mobile Administration Server certificate

June 4, 2024

ID 274364

You need to specify a reserve Administration Server certificate to meet the security requirements of your organization and maintain a continuous connection between managed devices and the Administration Server. A reserve certificate is not issued by default.

We recommend that you specify a reserve certificate when installing the Administration Server or no later than 30 days before the expiration of the existing certificate. The exact expiration time is available in the Valid to field of the certificate settings (in the context menu of the Administration Server, select PropertiesAdministration server connection settingsCertificates).

The maximum validity period of any Administration Server certificate does not exceed 397 days.

The reserve certificate is delivered to the device during synchronization and becomes the main certificate immediately after the existing certificate expires. If the certificate expires and no reserve has been specified, the connection between the Administration Server and Kaspersky Endpoint Security on managed devices will be lost. In this case, to reconnect devices, you must specify a new certificate and reinstall Kaspersky Endpoint Security on each of the managed devices.

To reissue the Administration Server certificate with delayed activation (to use a certificate as a reserve one):

  1. In the console tree, in the context menu of the Administration Server, select Properties.
  2. In the Administration Server properties window, select Administration server connection settingsCertificates.
  3. If you plan to continue using the certificate issued by Kaspersky Security Center:
    1. In the Administration Server authentication by mobile devices group of settings, select the Certificate issued through Administration Server option and click Reissue.
    2. In the Reissue certificate window that opens:
      1. In the Connection address group of settings, select Use old connection address or Change connection address to, if a new connection address will be used.
      2. In the Activation term group of settings, select After this period expires, days to use the certificate as a reserve one.

        It is recommended to specify a certificate activation period of at least 30 days so that all devices have time to receive the certificate. Please note that the specified period must be greater than the period for synchronizing devices with the Administration Server. For more information about configuring settings for device synchronization with the Administration Server, see the Configuring synchronization settings section.

      3. Click OK.
      4. In the confirmation window, click Yes.

    Alternatively, if you plan to use your own custom certificate:

    1. Check whether your certificate meets the requirements of Kaspersky Security Center and the requirements for trusted certificates by Apple. If necessary, modify the certificate.
    2. Select the Other certificate option and click Browse.
    3. In the Certificate window that opens, in the Certificate type field, select the type of your certificate and then specify the certificate location and settings:
      • If you select PKCS #12 container, click the Browse button next to the Certificate file field and specify the certificate file on your hard drive. If the certificate file is password-protected, enter the password in the Password (if any) field.
      • If you select X.509 certificate, click the Browse button next to the Private key (.prk, .pem) field and specify the private key on your hard drive. If the private key is password-protected, enter the password in the Password (if any) field. Then click the Browse button next to the Public key (.cer) field and specify the private key on your hard drive.
    4. In the Activation term group of settings, select After this period expires, days to use the certificate as a reserve one.
    5. In the Certificate window, click OK.
    6. In the confirmation window, click Yes.

The certificate is reissued for use as the Administration Server certificate or as a reserve one.

To immediately reissue the Administration Server certificate (not recommended if you have any managed mobile devices):

Do not select Immediately if you have any managed mobile devices. If you select this option, the connection with all managed devices will be lost, since the new certificate will not be delivered to devices, and the previously existing certificate will no longer be valid.

  1. In the console tree, in the context menu of the Administration Server, select Properties.
  2. In the Administration Server properties window, select Administration server connection settingsCertificates.
  3. If you plan to continue using the certificate issued by Kaspersky Security Center:
    1. In the Administration Server authentication by mobile devices group of settings, select the Certificate issued through Administration Server option and click Reissue.
    2. In the Reissue certificate window that opens:
      1. In the Connection address group of settings, select Use old connection address or Change connection address to, if a new connection address will be used.
      2. In the Activation term group of settings, select Immediately.
    3. Click OK.
    4. In the confirmation window, click Yes.

    Alternatively, if you plan to use your own custom certificate:

    1. Check whether your certificate meets the requirements of Kaspersky Security Center and the requirements for trusted certificates by Apple. If necessary, modify the certificate.
    2. Select the Other certificate option and click Browse.
    3. In the Certificate window that opens, in the Certificate type field select the type of your certificate and then specify the certificate location and settings:
      • If you select PKCS #12 container, click the Browse button next to the Certificate file field and specify the certificate file on your hard drive. If the certificate file is password-protected, enter the password in the Password (if any) field.
      • If you select X.509 certificate, click the Browse button next to the Private key (.prk, .pem) field and specify the private key on your hard drive. If the private key is password-protected, enter the password in the Password (if any) field. Then click the Browse button next to the Public key (.cer) field and specify the private key on your hard drive.
    4. In the Activation term group of settings, select Immediately.
    5. In the Certificate window, click OK.
    6. In the confirmation window, click Yes.

The certificate is reissued for use as the Administration Server certificate or as a reserve one.

For more information about certificates, please refer to the Kaspersky Security Center Help.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.