About Kaspersky Security Center certificates
Kaspersky Security Center uses the following types of certificates to enable a secure interaction between the application components:
- Administration Server certificate
- Mobile certificate
- iOS MDM Server certificate
- Kaspersky Security Center Web Server certificate
- Kaspersky Security Center Web Console certificate
By default, Kaspersky Security Center uses self-signed certificates (that is, issued by Kaspersky Security Center itself), but you can replace them with custom certificates to better meet the requirements of your organization's network and comply with the security standards. After Administration Server verifies whether a custom certificate meets all applicable requirements, this certificate assumes the same functional scope as a self-signed certificate. The only difference is that a custom certificate is not reissued automatically upon expiration. You replace certificates with custom ones by means of the klsetsrvcert utility or through the Administration Server properties section in Administration Console, depending on the certificate type. When you use the klsetsrvcert utility, you need to specify a certificate type by using one of the following values:
- C—Common certificate for ports 13000 and 13291.
- CR—Common reserve certificate for ports 13000 and 13291.
- M—Mobile certificate for port 13292.
- MR—Mobile reserve certificate for port 13292.
- MCA—Mobile certification authority for auto-generated user certificates.
You do not need to download the klsetsrvcert utility. It is included in the Kaspersky Security Center distribution kit. The utility is not compatible with previous Kaspersky Security Center versions.
The maximum validity period for any of the Administration Server certificates must be 397 days or less.
Administration Server certificates
An Administration Server certificate is required for authentication of Administration Server, as well as for secure interaction between Administration Server and Network Agent on managed devices or between primary Administration Server and secondary Administration Servers. When you connect Administration Console to Administration Server for the first time, you are prompted to confirm the use of the current Administration Server certificate. Such confirmation is also required every time the Administration Server certificate is replaced, after every reinstallation of Administration Server, and when connecting a secondary Administration Server to the primary Administration Server. This certificate is called common ("C").
The common ("C") certificate is automatically created when the Administration Server component is installed. The certificate consists of two parts:
- klserver.cer file; by default, it is located on the device where the Administration Server component is installed in C:\ProgramData\KasperskyLab\adminkit\1093\cert folder.
- Secret key located in Windows Protected Storage.
Also, a common reserve ("CR") certificate exists. Kaspersky Security Center automatically generates this certificate 90 days before the expiration of the common certificate. The common reserve certificate is subsequently used for seamless replacement of the Administration Server certificate. When the common certificate is about to expire, the common reserve certificate is used to maintain the connection with Network Agent instances installed on managed devices. With this purpose, the common reserve certificate automatically becomes the new common certificate 24 hours before the old common certificate expires.
You can also back up the Administration Server certificate separately from other Administration Server settings in order to move Administration Server from one device to another without data loss.
Mobile certificates
A mobile certificate ("M") is required for authentication of the Administration Server on mobile devices. You configure the use of the mobile certificate on the dedicated step of the quick start wizard.
Also, a mobile reserve ("MR") certificate exists: it is used for seamless replacement of the mobile certificate. When the mobile certificate is about to expire, the mobile reserve certificate is used to maintain the connection with Network Agent instances installed on managed mobile devices. With this purpose, the mobile reserve certificate automatically becomes the new mobile certificate 24 hours before the old mobile certificate expires.
Automatically reissuing mobile certificates is not supported. We recommend that you specify a new mobile certificate when the existing one is about to expire. If the mobile certificate expires and the mobile reserve certificate is not specified, the connection between Administration Server and Network Agent instances installed on managed mobile devices will be lost. In this case, to reconnect managed mobile devices, you must specify a new mobile certificate and reinstall Kaspersky Security for Mobile on each managed mobile device.
If the connection scenario requires the use of a client certificate on mobile devices (connection involving two-way SSL authentication), you generate those certificates by means of the certificate authority for auto-generated user certificates ("MCA"). Also, the quick start wizard enables you to start using custom client certificates issued by a different certification authority, while integration with the domain Public Key Infrastructure (PKI) of your organization enables you to issue client certificates by means of your domain certification authority.
iOS MDM Server certificate
An iOS MDM Server certificate is required for authentication of Administration Server on mobile devices running the iOS operating system. The interaction with these devices is performed via the Apple mobile device management (MDM) protocol that involves no Network Agent. Instead, you install a special iOS MDM profile, containing a client certificate, on each device, to ensure two-way SSL authentication.
Also, the quick start wizard enables you to start using custom client certificates issued by a different certification authority, while integration with the domain Public Key Infrastructure (PKI) of your organization enables you to issue client certificates by means of your domain certification authority.
Client certificates are transmitted to iOS devices when you download those iOS MDM profiles. An iOS MDM Server client certificate is unique for each managed iOS device. You generate all iOS MDM Server client certificates by means of the certification authority for auto-generated user certificates ("MCA").
Kaspersky Security Center Web Server certificate
Kaspersky Security Center Web Server (hereinafter referred to as Web Server), a component of Kaspersky Security Center Administration Server, uses a special type of certificate. This certificate is required for publishing Network Agent installation packages that you subsequently download to managed devices, as well as for publishing iOS MDM profiles, iOS apps, and Kaspersky Security for Mobile installation packages. For this purpose, Web Server can use various certificates.
If the mobile device support is disabled, Web Server uses one of the following certificates, in order of priority:
- Custom Web Server certificate that you specified manually by means of Administration Console
- Common Administration Server certificate ("C")
If the mobile device support is enabled, Web Server uses one of the following certificates, in order of priority:
- Custom Web Server certificate that you specified manually by means of Administration Console
- Custom mobile certificate
- Self-signed mobile certificate ("M")
- Common Administration Server certificate ("C")
Kaspersky Security Center Web Console certificate
The Server of Kaspersky Security Center Web Console (hereinafter referred to as Web Console) has its own certificate. When you open a website, a browser verifies whether your connection is trusted. The Web Console certificate allows you to authenticate the Web Console and is used to encrypt traffic between a browser and the Web Console.
When you open the Web Console, the browser may inform you that the connection to the Web Console is not private and the Web Console certificate is invalid. This warning appears because the Web Console certificate is self-signed and automatically generated by Kaspersky Security Center. To remove this warning, you can do one of the following:
- Replace the Web Console certificate with a custom one (recommended option). Create a certificate that is trusted in your infrastructure and that meets the requirements for custom certificates.
- Add the Web Console certificate to the list of trusted browser certificates. We recommend that you use this option only if you cannot create a custom certificate.