Kaspersky Secure Mobility Management
4.1
English
Working in MMC-based Administration Console  >  Deployment  >  Preparing the Administration Console for deployment of the integrated solution  >  Working with certificates of mobile devices  >  Reissuing the mobile Administration Server certificate
Reissuing the mobile Administration Server certificate

You need to specify a reserve Administration Server certificate to meet the security requirements of your organization and maintain a continuous connection between managed devices and the Administration Server. A reserve certificate is not issued by default.

We recommend that you specify a reserve certificate when installing the Administration Server or no later than 30 days before the expiration of the existing certificate. The exact expiration time is available in the Valid to field of the certificate settings (in the context menu of the Administration Server, select PropertiesAdministration server connection settingsCertificates).

The maximum validity period of any Administration Server certificate does not exceed 397 days.

The reserve certificate is delivered to the device during synchronization and becomes the main certificate immediately after the existing certificate expires. If the certificate expires and no reserve certificate has been specified, the connection between the Administration Server and Kaspersky Endpoint Security on managed devices will be lost. In this case, to reconnect devices, you must specify a new certificate and reinstall Kaspersky Endpoint Security on each of the managed devices.

To reissue the Administration Server certificate with delayed activation (to use a certificate as a reserve one):

  1. In the console tree, in the context menu of the Administration Server, select Properties.
  2. In the Administration Server properties window, select Administration server connection settingsCertificates.
  3. If you plan to continue using the certificate issued by Kaspersky Security Center:
    1. In the Administration Server authentication by mobile devices group of settings, select the Certificate issued through Administration Server option and click Reissue.
    2. In the Reissue certificate window that opens:
      1. In the Connection address group of settings, select Use old connection address or Change connection address to, if a new connection address will be used.
      2. In the Activation term group of settings, select After this period expires, days to use the certificate as a reserve one.

        It is recommended to specify a certificate activation period of at least 30 days so that all devices have time to receive the certificate. Please note that the specified period must be greater than the period for synchronizing devices with the Administration Server. For more information about configuring settings for device synchronization with the Administration Server, see the Configuring synchronization settings section.

      3. Click OK.
      4. In the confirmation window, click Yes.

    Alternatively, if you plan to use your own custom certificate:

    1. Check whether your certificate meets the requirements of Kaspersky Security Center and the requirements for trusted certificates by Apple. If necessary, modify the certificate.
    2. Select the Other certificate option and click Browse.
    3. In the Certificate window that opens, in the Certificate type field, select the type of your certificate and then specify the certificate location and settings:
      • If you select PKCS #12 container, click the Browse button next to the Certificate file field and specify the certificate file on your hard drive. If the certificate file is password-protected, enter the password in the Password (if any) field.
      • If you select X.509 certificate, click the Browse button next to the Private key (.prk, .pem) field and specify the private key on your hard drive. If the private key is password-protected, enter the password in the Password (if any) field. Then click the Browse button next to the Public key (.cer) field and specify the private key on your hard drive.
    4. In the Activation term group of settings, select After this period expires, days to use the certificate as a reserve one.
    5. In the Certificate window, click OK.
    6. In the confirmation window, click Yes.

The certificate is reissued for use as the Administration Server certificate or as a reserve one.

To immediately reissue the Administration Server certificate (not recommended if you have any managed mobile devices):

Do not select Immediately if you have any managed mobile devices. If you select this option, the connection with all managed devices will be lost, since the new certificate will not be delivered to devices, and the previously existing certificate will no longer be valid.

  1. In the console tree, in the context menu of the Administration Server, select Properties.
  2. In the Administration Server properties window, select Administration server connection settingsCertificates.
  3. If you plan to continue using the certificate issued by Kaspersky Security Center:
    1. In the Administration Server authentication by mobile devices group of settings, select the Certificate issued through Administration Server option and click Reissue.
    2. In the Reissue certificate window that opens:
      1. In the Connection address group of settings, select Use old connection address or Change connection address to, if a new connection address will be used.
      2. In the Activation term group of settings, select Immediately.
    3. Click OK.
    4. In the confirmation window, click Yes.

    Alternatively, if you plan to use your own custom certificate:

    1. Check whether your certificate meets the requirements of Kaspersky Security Center and the requirements for trusted certificates by Apple. If necessary, modify the certificate.
    2. Select the Other certificate option and click Browse.
    3. In the Certificate window that opens, in the Certificate type field select the type of your certificate and then specify the certificate location and settings:
      • If you select PKCS #12 container, click the Browse button next to the Certificate file field and specify the certificate file on your hard drive. If the certificate file is password-protected, enter the password in the Password (if any) field.
      • If you select X.509 certificate, click the Browse button next to the Private key (.prk, .pem) field and specify the private key on your hard drive. If the private key is password-protected, enter the password in the Password (if any) field. Then click the Browse button next to the Public key (.cer) field and specify the private key on your hard drive.
    4. In the Activation term group of settings, select Immediately.
    5. In the Certificate window, click OK.
    6. In the confirmation window, click Yes.

The certificate is reissued for use as the Administration Server certificate or as a reserve one.

For more information about certificates, please refer to the Kaspersky Security Center Help.

Reissuing the mobile Administration Server certificate on a connection gateway

We recommend that you specify a reserve certificate when installing the Administration Server or no later than 30 days before the expiration of the existing certificate. The exact expiration time is available in the Valid to field of the certificate settings (in the context menu of the Administration Server, select PropertiesAdministration server connection settingsCertificates).

If the main certificate expires and no reserve certificate has been specified in the Administration Server settings, the connection with Kaspersky Endpoint Security on managed devices will be lost. In this case, to reconnect devices, you must specify a new certificate, reconnect a connection gateway, and reinstall Kaspersky Endpoint Security on each of the managed devices.

In Kaspersky Security Center version 14.2, the activated reserve mobile certificate cannot be delivered to a connection gateway automatically after the main mobile certificate expires. To prevent problems with mobile device synchronization, you need to manually deliver the new main mobile certificate to the connection gateway.

To deliver a reserve mobile certificate to the connection gateway after the main certificate expires, you need to reconnect the connection gateway. Do the following:

  1. In the console tree, in the context menu of the Administration Server, select Properties.
  2. In the Administration Server properties window, in the Sections pane, select Distribution points.
  3. Select the desired host and click the X button to disable the current connection gateway as a distribution point.

    The host disappears from the Device list.

  4. Click Add to reconnect the connection gateway.

    For detailed instructions on deploying the connection gateway, please refer to the Configure the connection gateway on Kaspersky Security Center Administration Server section.

  5. In the Add distribution point window that opens, do the following:
    1. Next to the Device to act as a distribution point field, click Select > Add device from group. In the window that opens, select the desired host and click OK.
    2. Next to the Distribution point scope field, click Select. In the window that opens, select the desired group and click OK.
  6. Click OK.
  7. In the context menu of the host that appears, select Properties.
  8. In the host properties window, in the Section pane, select Connection gateway.
  9. In the Connection gateway section, select the Connection gateway check box.
  10. Select the desired check boxes, and specify the desired port numbers or leave the default values.
  11. Click OK to save the changes you made.

The new mobile certificate is delivered to the connection gateway. To check if the correct mobile certificate has been delivered, execute the following command: openssl s_client -connect <connection gateway address>:<port for connecting mobile devices> -showcerts.

Article ID: 274364, Last review: Jul 22, 2025
Page top