How to сreate the certificate from Internal CA and change KATA CN Web UI Certificate [KATA/KEDRE]

[Antipova Anna]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

1. Pre-requisites

• The file must contain the certificate itself and a private encryption key for the connection.
• The file must be in PEM format.

The application does not support other formats of certificates.

• If you have prepared a certificate in a different format, you must convert it to the PEM format.
• The private key length must be 2,048 bits or longer.

Please delete all Endpoint Agent host isolation rules. Connection with the isolated hosts and control over them will be lost.

2. Certificate creation and Configuration steps:

To create a Certificate Signing Request file using the openssl utility:

1. Prepare a file named sandbox.config with the following contents:

[req] default_bits=2048 prompt=no default_md=sha256 req_extensions=req_ext distinguished_name=dn [dn] C=AE ST=North L=Dubai O=ABC LAB OU=IT Security emailAddress=security@abc.lab CN=katacn.abc.lab [req_ext] subjectAltName=@alt_names [alt_names] DNS.1=katacn.abc.lab

2. Create a private RSA key with the PEM extension (without a passphrase):

#openssl genrsa -out cn.key 2048

3. Create a Certificate Signing Request using the following command:

#openssl req -new -sha256 -key cn.key -out cn.csr -config cn.config

4. Generate the certificate (as Web Server certificate) from Internal CA in Base 64 encoded with certificate chain.

Access your internal CA from Domain Controller using https://dc.abc.lab/certsrv and follow the instructions as below screenshots.

5. Get the certificate from the certificate Authority in P7B format

6. Open the certificate, Export in the format of Service/Server/Root (names given for identification only) per the below screenshot.

7. While exporting the certificates, select the encoding as base64

8. Concatenate/Combine the Certificate in one file as below and save it in .CRT format.

If you don’t have server certificate then you can add service and root only

On TOP                -           Service

Middle                 -           Server

Bottom                -           Root

9. To make a .PEM format you need to have the private key (get from where you have created the CSR)

10. Run the below command using Openssl in Windows or Linux to make it in a .PEM format

#openssl pkcs12 -export -in cn.crt -inkey hsotname.key -out cn.p12 #openssl pkcs12 -in cn.p12 -nodes -out cn.pem

11. Once you have the certificate cn.pem format then upload it to the Central Node Web UI as per the below steps.

• Upload the TLS certificate in the web interface of the PCN or SCN server to which you want to upload the certificate.
• To upload an independently prepared TLS certificate using the Kaspersky Anti Targeted Attack Platform web interface:
• Sign in to the Kaspersky Anti Targeted Attack Platform web interface with the administrator
• In the window of the application web interface, select the Settings section, Certificates subsection.
• In the Server certificate section, click 
• This opens the file selection window.
• Select a TLS certificate file to download and click the Open button.
• This closes the file selection window.

Communication with the mail sensors, the Sandbox component, and the Kaspersky Endpoint Agent application is interrupted until reauthorization.

The TLS certificate is added to the Kaspersky Anti Targeted Attack Platform

12. After replacing the certificate don't forget to replace it in KES Policy→ Detection and Response → Endpoint Detection and Response (KATA) → Server Connection Settings → Delete existing certificate and Select new Server TLS certificate (not the Add Client certificate).

13. The certificate you specify here needs to be in CRT Format. You can get it by "Downloading" the Certificate from CN → Settings → Certificates → Server certificate and click Export.

14. Open the KATA CN Web UI using the hostname in a new tab/window and verify the certificate.