How to renew an iOS MDM Server certificate in Kaspersky Security for Mobile
Renewing a certificate before its expiration date in Kaspersky Security Center 13 and later
In Kaspersky Security Center 13 and later, you can issue a reserve iOS MDM Server certificate to ensure seamless switching of managed iOS devices after the iOS MDM Server certificate expires. For more information, see Online Help.
You don’t have to renew an iOS MDM Server certificate using the kliossrvcertgen utility until the certificate expires.
Renewing a certificate before its expiration date in Kaspersky Security Center 11 and 12
To replace a profile before the server certificate expires, follow these steps:
- Using the kliossrvcertgen utility, generate a profile with a new root certificate and a server certificate, with the following input values:
- fqdn – FQDN server;
- validity – certificate lifetime, days (by default, 3650 days, i.e., 10 years);
- out – certificate name;
- pwd – password (not set by default);
- outprof – name of the new profile.
To generate a mobile device profile named prof.mobileconfig and a server certificate with the name cert.pfx with installation password 1234 and a lifetime of 825 days (maximum validity period for iOS 13 and later, learn more on the Apple support website) for the server myfqdn.com, run the command:
kliossrvcertgen.exe -fqdn myfqdn.com -validity 795 -out cert.pfx -pwd 1234 -outprof prof.mobileconfig
When setting the validity value, take into account that the validity period of the certificate is increased by 30 days by default. validity=795 corresponds to Apple's recommended validity period of 825 days.
Import the new profile to the iOS MDM server. Open iOS MDM Server settings. Go to Configuration profiles and click Import.
Distribute the new profile to the devices. Go to Mobile Device Management → Mobile devices. Select the device. Open the context menu and select All commands → Install profile.
- Replace the old server certificate with a new one. Go to Certificates. In the iOS MDM Server certificate section, click Install.
Attention! Replace the server certificate only after the profile has been delivered to all devices.
The server certificate will be renewed.
Renewing a certificate after its expiration date
If the server certificate has expired, replace it in the following way:
- Use the kliossrvcertgen utility to generate a new server certificate with the following input parameters:
- fqdn – FQDN server;
- validity – certificate lifetime, days (by default, 3650 days, i.e., 10 years);
- out – certificate name;
- pwd – password (not set by default);
- outprof – name of the new profile.
To generate a mobile device profile named prof.mobileconfig and a server certificate with the name cert.pfx with installation password 1234 and a lifetime of 825 days (maximum validity period for iOS 13 and later, learn more on the Apple support website) for the server myfqdn.com, run the command:
kliossrvcertgen.exe -fqdn myfqdn.com -validity 795 -out cert.pfx -pwd 1234 -outprof prof.mobileconfig
When setting the validity value, take into account that the validity period of the certificate is increased by 30 days by default. validity=795 corresponds to Apple's recommended validity period of 825 days.
Install the iOS MDM server certificate. Open iOS MDM Server settings. Go to Certificates. In the iOS MDM Server certificate section, click Install.
Generate profiles for each user. Go to the node User accounts. Select the required account and click Add mobile device in the context menu. Complete all the steps in the New Mobile Device Connection Wizard. For instructions, see Online Help.
The server certificate will be renewed.