Generating SSL certificates for Kaspersky Scan Engine GUI

Kaspersky Scan Engine GUI uses an SSL certificate for HTTPS connections. By default, Kaspersky Scan Engine GUI uses a self-signed certificate and a private key that are generated during installation of Kaspersky Scan Engine. The generated certificate is valid for two years.

We recommend that you generate a certificate that will be trusted in your infrastructure and configure Kaspersky Scan Engine GUI to use this certificate instead of the self-signed certificate.

Before making changes, create a backup copy of the existing private key, certificate, and Kaspersky Scan Engine configuration file.

To generate a trusted certificate for Kaspersky Scan Engine GUI:

1. Create a private key and a trusted certificate:
   1. Create a new private and public key pair.
   2. Use the public key to generate an SSL Certificate Signing Request (CSR).
   3. Sign the CSR by using the trusted certificate authority (CA).

      This creates a trusted certificate for the private key.

2. Convert the private key and the trusted certificate to PEM format.
3. Copy both the private key and the certificate to the %service_dir%/httpsrv directory.

   You must configure access to the private key file for Kaspersky Scan Engine GUI so that only the root user and the user account under which the service is running can have the read permission.

4. Edit the Settings > ServerSettings > SSLCertificatePath and Settings > ServerSettings > SSLPrivateKeyPath elements of the Kaspersky Scan Engine configuration file if necessary so that they will contain the paths to the certificate and private key respectively.

   Save the Kaspersky Scan Engine configuration file.

5. Restart Kaspersky Scan Engine.