Product:  KSC 11 and more recent versions

KL uses the HTTP public key pinning mechanism to verify update server authenticity; a certificate used for authentication is self-signed by KL. A certificate revocation list is also implemented. 

More information about the certification revocation process is available here:

https://learn.microsoft.com/en-us/archive/blogs/ieinternals/understanding-certificate-revocation-checks
https://technet.microsoft.com/en-us/library/ee619754(WS.10).aspx

A recent update of CRL was performed at the end of July 2023. CRL is available on this link: http://crl.kaspersky.com/cdp/KasperskyLabPublicServicesRootCertificationAuthority.crl

Old CLR was valid till 23.7.2023 and is expired now.

When KSC requests the CRL file, the proxy server sends back to KSC the cached version of it and the CRL verification fails. 

The details can be found in the $up2date-1103-eka.log to identify the issue precisely.

04:01:48.817    0x326c    INF    httpcli    cert_revoke    0x70e2908 Got error: 0xa0010019 (http_client::eCrlHasExpired)

04:01:48.817    0x326c    INF    httpcli    Req 0x70e2908 <- HttpsErrorOccurs: Revocation Error [0xa0010019 (http_client::eCrlHasExpired)

04:01:48.892    0x1d0c    INF    updater    core: ========= Downloading primary index result TLS error =========

1. Set a server flag for KSC using the following commands:

   klscflag.exe -fset -pv klserver -s Updater -n DisableKLHttps -t d -v 1

   Also, set a server flag for Update Agents (Distribution Points) that get updates from the Internet, if any:

   klscflag.exe -fset -pv klnagent -s Updater -n DisableKLHttps -t d -v 1

2. Explicitly set an update task to use HTTP sources for URLs, for example, http://p00.upd.kaspersky.com. The full list of HTTP-enabled sources can be found in the <insecure_sites_list> parameter at http://dnl-05.geo.kaspersky.com/updates/upd/updcfg2.xml