Certificates for work with Kaspersky Security Center

This section contains information about Kaspersky Security Center certificates and describes how to issue a custom certificate for Administration Server.

About Kaspersky Security Center certificates

Kaspersky Security Center uses the following types of certificates to enable a secure interaction between the application components:

• Administration Server certificate
• Mobile certificate
• iOS MDM Server certificate
• Kaspersky Security Center Web Server certificate
• Kaspersky Security Center Web Console certificate

By default, Kaspersky Security Center uses self-signed certificates (that is, issued by Kaspersky Security Center itself), but you can replace them with custom certificates to better meet the requirements of your organization's network and comply with the security standards. After Administration Server verifies whether a custom certificate meets all applicable requirements, this certificate assumes the same functional scope as a self-signed certificate. The only difference is that a custom certificate is not reissued automatically upon expiration. You replace certificates with custom ones by means of the klsetsrvcert utility or through the Administration Server properties section in Administration Console, depending on the certificate type. When you use the klsetsrvcert utility, you need to specify a certificate type by using one of the following values:

• C—Common certificate for ports 13000 and 13291.
• CR—Common reserve certificate for ports 13000 and 13291.
• M—Mobile certificate for port 13292.
• MR—Mobile reserve certificate for port 13292.
• MCA—Mobile certification authority for auto-generated user certificates.

You do not need to download the klsetsrvcert utility. It is included in the Kaspersky Security Center distribution kit. The utility is not compatible with previous Kaspersky Security Center versions.

The maximum validity period for any of the Administration Server certificates must be 397 days or less.

Administration Server certificates

An Administration Server certificate is required for authentication of Administration Server, as well as for secure interaction between Administration Server and Network Agent on managed devices or between primary Administration Server and secondary Administration Servers. When you connect Administration Console to Administration Server for the first time, you are prompted to confirm the use of the current Administration Server certificate. Such confirmation is also required every time the Administration Server certificate is replaced, after every reinstallation of Administration Server, and when connecting a secondary Administration Server to the primary Administration Server. This certificate is called common ("C").

The common ("C") certificate is automatically created when the Administration Server component is installed. The certificate consists of two parts:

• klserver.cer file; by default, it is located on the device where the Administration Server component is installed in C:\ProgramData\KasperskyLab\adminkit\1093\cert folder.
• Secret key located in Windows Protected Storage.

Also, a common reserve ("CR") certificate exists. Kaspersky Security Center automatically generates this certificate 90 days before the expiration of the common certificate. The common reserve certificate is subsequently used for seamless replacement of the Administration Server certificate. When the common certificate is about to expire, the common reserve certificate is used to maintain the connection with Network Agent instances installed on managed devices. With this purpose, the common reserve certificate automatically becomes the new common certificate 24 hours before the old common certificate expires.

You can also back up the Administration Server certificate separately from other Administration Server settings in order to move Administration Server from one device to another without data loss.

Mobile certificates

A mobile certificate ("M") is required for authentication of the Administration Server on mobile devices. You configure the use of the mobile certificate on the dedicated step of the Quick Start Wizard.

Also, a mobile reserve ("MR") certificate exists: it is used for seamless replacement of the mobile certificate. When the mobile certificate is about to expire, the mobile reserve certificate is used to maintain the connection with Network Agent instances installed on managed mobile devices. With this purpose, the mobile reserve certificate automatically becomes the new mobile certificate 24 hours before the old mobile certificate expires.

Automatically reissuing mobile certificates is not supported. We recommend that you specify a new mobile certificate when the existing one is about to expire. If the mobile certificate expires and the mobile reserve certificate is not specified, the connection between Administration Server and Network Agent instances installed on managed mobile devices will be lost. In this case, to reconnect managed mobile devices, you must specify a new mobile certificate and reinstall Kaspersky Security for Mobile on each managed mobile device.

If the connection scenario requires the use of a client certificate on mobile devices (connection involving two-way SSL authentication), you generate those certificates by means of the certificate authority for auto-generated user certificates ("MCA"). Also, the Quick Start Wizard enables you to start using custom client certificates issued by a different certification authority, while integration with the domain Public Key Infrastructure (PKI) of your organization enables you to issue client certificates by means of your domain certification authority.

iOS MDM Server certificate

An iOS MDM Server certificate is required for authentication of Administration Server on mobile devices running the iOS operating system. The interaction with these devices is performed via the Apple mobile device management (MDM) protocol that involves no Network Agent. Instead, you install a special iOS MDM profile, containing a client certificate, on each device, to ensure two-way SSL authentication.

Also, the Quick Start Wizard enables you to start using custom client certificates issued by a different certification authority, while integration with the domain Public Key Infrastructure (PKI) of your organization enables you to issue client certificates by means of your domain certification authority.

Client certificates are transmitted to iOS devices when you download those iOS MDM profiles. Each iOS MDM Server client certificate is unique. You generate all iOS MDM Server client certificates by means of the certification authority for auto-generated user certificates ("MCA").

Kaspersky Security Center Web Server certificate

Kaspersky Security Center Web Server (hereinafter referred to as Web Server), a component of Kaspersky Security Center Administration Server, uses a special type of certificate. This certificate is required for publishing Network Agent installation packages that you subsequently download to managed devices, as well as for publishing iOS MDM profiles, iOS apps, and Kaspersky Security for Mobile installation packages. For this purpose, Web Server can use various certificates.

If the mobile device support is disabled, Web Server uses one of the following certificates, in order of priority:

1. Custom Web Server certificate that you specified manually by means of Administration Console
2. Common Administration Server certificate ("C")

If the mobile device support is enabled, Web Server uses one of the following certificates, in order of priority:

1. Custom Web Server certificate that you specified manually by means of Administration Console
2. Custom mobile certificate
3. Self-signed mobile certificate ("M")
4. Common Administration Server certificate ("C")

Kaspersky Security Center Web Console certificate

The Server of Kaspersky Security Center Web Console (hereinafter referred to as Web Console) has its own certificate. When you open a website, a browser verifies whether your connection is trusted. The Web Console certificate allows you to authenticate the Web Console and is used to encrypt traffic between a browser and the Web Console.

When you open the Web Console, the browser may inform you that the connection to the Web Console is not private and the Web Console certificate is invalid. This warning appears because the Web Console certificate is self-signed and automatically generated by Kaspersky Security Center. To remove this warning, you can do one of the following:

• Replace the Web Console certificate with a custom one (recommended option). Create a certificate that is trusted in your infrastructure and that meets the requirements for custom certificates.
• Add the Web Console certificate to the list of trusted browser certificates. We recommend that you use this option only if you cannot create a custom certificate.

About Administration Server certificate

Two operations are performed based on the Administration Server certificate: Administration Server authentication during connection by Administration Console and data exchange with devices. The certificate is also used for authentication when the primary Administration Servers are connected to secondary Administration Servers.

Certificate issued by Kaspersky

The Administration Server certificate is created automatically during installation of the Administration Server component and it is stored in the %ALLUSERSPROFILE%\Application Data\KasperskyLab\adminkit\1093\cert folder.

The Administration Server certificate is valid for five years, if the certificate was generated by Administration Server version 12.2 or earlier. Otherwise, the certificate validity term is limited to 397 days. A new certificate is generated by the Administration Server as the reserve certificate 90 days before the expiration date of the current certificate. Subsequently, the new certificate automatically replaces the current certificate one day before the expiration date. All Network Agents on the client devices are automatically reconfigured to authenticate the Administration Server with the new certificate.

Custom certificates

If necessary, you can assign a custom certificate for the Administration Server. For example, this may be necessary for better integration with the existing PKI of your enterprise or for custom configuration of the certificate fields.

The maximum validity period for any of the Administration Server certificates must be 397 days or less.

When replacing the certificate, all Network Agents that were previously connected to Administration Server through SSL, will lose their connection and will return "Administration Server authentication error." To eliminate this error, you will have to restore the connection after the certificate replacement.

If the Administration Server certificate is lost, you must reinstall the Administration Server component, and then restore the data in order to recover it.

If you open Kaspersky Security Center Web Console in different browsers and download the Administration Server certificate file in the Administration Server properties window, the downloaded files have different names.

Requirements for custom certificates used in Kaspersky Security Center

The table below shows the requirements for custom certificates specified for different components of Kaspersky Security Center.

Requirements for Kaspersky Security Center certificates

Scenario: Specifying the custom Administration Server certificate

You can assign the custom Administration Server certificate, for example, for better integration with the existing public key infrastructure (PKI) of your enterprise or for custom configuration of the certificate fields. It is useful to replace the certificate immediately after installation of Administration Server and before the Quick Start Wizard finishes.

The maximum validity period for any of the Administration Server certificates must be 397 days or less.

Prerequisites

The new certificate must be created in the PKCS#12 format (for example, by means of the organization's PKI) and must be issued by trusted certification authority (CA). Also, the new certificate must include the entire chain of trust and a private key, which must be stored in the file with the pfx or p12 extension. For the new certificate, the requirements listed in the table below must be met.

Requirements for the Administration Server certificates

Certificates issued by a public CA do not have the certificate signing permission. To use such certificates, make sure that you installed Network Agent version 13 or later on distribution points or connection gateways in your network. Otherwise, you will not be able to use certificates without the signing permission.

Stages

Specifying the Administration Server certificate proceeds in stages:

1. Replacing the Administration Server certificate

   Use the command-line klsetsrvcert utility for this purpose.

2. Specifying a new certificate and restoring connection of Network Agents to the Administration Server

   When the certificate is replaced, all Network Agents that were previously connected to Administration Server through SSL lose their connection and return "Administration Server authentication error." To specify the new certificate and restore the connection, use the command-line klmover utility.

3. Specifying a new certificate in the settings of Kaspersky Security Center Web Console

   After you replace the certificate, specify it in the settings of Kaspersky Security Center Web Console. Otherwise, Kaspersky Security Center Web Console will not be able to connect to the Administration Server.

Results

When you finish the scenario, the Administration Server certificate is replaced and the server is authenticated by Network Agents on the managed devices.

Replacing the Administration Server certificate by using the klsetsrvcert utility

To replace the Administration Server certificate:

From the command line, run the following utility:

klsetsrvcert [-t <type> {-i <inputfile> [-p <password>] [-o <chkopt>] | -g <dnsname>}][-f <time>][-r <calistfile>][-l <logfile>]

You do not need to download the klsetsrvcert utility. It is included in the Kaspersky Security Center distribution kit. It is not compatible with previous Kaspersky Security Center versions.

The description of the klsetsrvcert utility parameters is presented in the table below.

Values of the klsetsrvcert utility parameters

For example, to specify the custom Administration Server certificate, use the following command:

klsetsrvcert -t C -i <inputfile> -p <password> -o NoCA

After the certificate is replaced, all Network Agents connected to Administration Server through SSL lose their connection. To restore it, use the command-line klmover utility.

To avoid losing the Network Agents connections, use the following commands:

1. To install the new certificate,
   klsetsrvcert.exe -t CR -i <inputfile> -p <password> -o NoCA
2. To specify the date when the new certificate will be applied,
   klsetsrvcert.exe -f "DD-MM-YYYY hh:mm"

where "DD-MM-YYYY hh:mm" is the date 3–4 weeks later than the current date. The time shift for changing the certificate to the new one will allow the new certificate to be distributed to all Network Agents.

Connecting Network Agents to Administration Server by using the klmover utility

After you replace the Administration Server certificate by using the command-line klsetsrvcert utility, you need to establish the SSL connection between Network Agents and Administration Server because the connection is broken.

To specify the new Administration Server certificate and restore the connection:

From the command line, run the following utility:

klmover [-address <server address>] [-pn <port number>] [-ps <SSL port number>] [-nossl] [-cert <path to certificate file>]

The administrator rights are required to run the utility.

This utility is automatically copied to the Network Agent installation folder, when Network Agent is installed on a client device.

To prevent intruders from moving devices out of your Administration Server's control, we strongly recommend enabling password protection for running the klmover utility. To enable password protection, select the Use uninstallation password option in the Network Agent policy settings.

The klmover utility requires local administrator rights. Password protection for running the klmover utility can be omitted for devices operated without local administrator rights.

Enabling the Use uninstallation password option also enables password protection for the Cleaner tool (cleaner.exe).

You cannot use the klmover utility for client devices connected to Administration Server through connection gateways. For such devices you have to either reconfigure Network Agent or reinstall Network Agent and specify connection gateway.

The description of the klmover utility parameters is presented in the table below.

Values of the klmover utility parameters

For example, to connect Network Agent to Administration Server, run the following command:

klmover -address kscserver.mycompany.com -logfile klmover.log

Reissuing the Web Server certificate

The Web Server certificate used in Kaspersky Security Center is required for publishing Network Agent installation packages that you subsequently download to managed devices, as well as for publishing iOS MDM profiles, iOS apps, and Kaspersky Endpoint Security for Mobile installation packages. Depending on the current application configuration, various certificates can function as the Web Server certificate (for more detail, see About Kaspersky Security Center certificates).

You may need to reissue the Web Server certificate to meet the specific security requirements of your organization or to maintain continuous connection of your managed devices before starting to upgrade the application. Kaspersky Security Center provides two ways of reissuing the Web Server certificate; the choice between the two methods depends on whether you have mobile devices connected and managed through the mobile protocol (i.e., by using the mobile certificate).

If you have never specified your own custom certificate as the Web Server certificate in the Web Server section of the Administration Server properties window, the mobile certificate acts as the Web Server certificate. In this case, the Web Server certificate reissuance is performed through the reissuance of the mobile protocol itself.

To reissue the Web Server certificate when you have no mobile devices managed through the mobile protocol:

1. In the console tree, right-click the name of the relevant Administration Server and in the context menu select Properties.
2. In the Administration Server properties window that opens, in the left pane, select the Administration Server connection settings section.
3. In the list of subsections, select the Certificates subsection.
4. If you plan to continue using the certificate issued by Kaspersky Security Center, do the following:
   1. On the right pane, in the Administration Server authentication by mobile devices group of settings, select the Certificate issued through Administration Server option and click the Reissue button.
   2. In the Reissue certificate window that opens, in the Connection address and Activation term group of settings, select the relevant options and click OK.
   3. In the confirmation window, click Yes.

   Alternatively, if you plan to use your own custom certificate, do the following:

   1. Check whether your custom certificate meets the requirements of Kaspersky Security Center and the requirements for trusted certificates by Apple. If necessary, modify the certificate.
   2. Select the Other certificate option and click the Browse button.
   3. In the Certificate window that opens, in the Certificate type field select the type of your certificate and then specify the certificate location and settings:
      • If you have selected PKCS #12 container, click the Browse button next to the Certificate file field and specify the certificate file on your hard drive. If the certificate file is password-protected, enter the password in the Password (if any) field.
      • If you have selected X.509 certificate, click the Browse button next to the Private key (.prk, .pem) field and specify the private key on your hard drive. If the private key is password-protected, enter the password in the Password (if any) field. Then click the Browse button next to the Public key (.cer) field and specify the private key on your hard drive.
   4. In the Certificate window, click OK.
   5. In the confirmation window, click Yes.

   The mobile certificate is reissued to be used as the Web Server certificate.

To reissue the Web Server certificate when you have any mobile devices managed through the mobile protocol:

1. Generate your custom certificate and prepare it for the usage in Kaspersky Security Center. Check whether your custom certificate meets the requirements of Kaspersky Security Center and the requirements for trusted certificates by Apple. If necessary, modify the certificate.

   You can use the kliossrvcertgen.exe utility for certificate generation.

2. In the console tree, right-click the name of the relevant Administration Server and in the context menu select Properties.
3. In the Administration Server properties window that opens, in the left pane, select the Web Server section.
4. In the Over HTTPS menu, select the Specify another certificate option.
5. In the Over HTTPS menu, click the Change button.
6. In the Certificate window that opens, in the Certificate type field select the type of your certificate:
   • If you have selected PKCS #12 container, click the Browse button next to the Certificate file field and specify the certificate file on your hard drive. If the certificate file is password-protected, enter the password in the Password (if any) field.
   • If you have selected X.509 certificate, click the Browse button next to the Private key (.prk, .pem) field and specify the private key on your hard drive. If the private key is password-protected, enter the password in the Password (if any) field. Then click the Browse button next to the Public key (.cer) field and specify the private key on your hard drive.
7. In the Certificate window, click OK.
8. If necessary, in the Administration Server properties window, in the Web Server HTTPS port field change the number of the HTTPS port for Web Server. Click OK.

   The Web Server certificate is reissued.