How to add a custom certificate for administration server [KSC for Windows]

[Antipova Anna]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

Maximum validity of the custom certificate (administration server/web console):

• A maximum of 5 years can be stored as the maximum validity for the certificate for the administration server
• The maximum validity for the certificate for the web console cannot exceed 397 days

Two different certificates must be used:

• After the specified time has expired, a new certificate must be generated manually (at best 90 days in advance) and stored as a replacement certificate. Clients that do not identify themselves with the administration server within 90 days must be reconnected manually https://support.kaspersky.com/KSC/13.2/en-US/227839.htm
• The certificate must be replaced using klsetsrvcert: https://support.kaspersky.com/KSC/13.2/en-US/227838.htm

In general, it is important that the custom certificate meets the following requirements:

• https://support.kaspersky.com/KSC/13.2/en-US/155201.htm
• https://support.kaspersky.com/KSC/13.2/en-US/191451.htm
• Custom certificate should also have a certificate signing permission, it is vital in case of using Distribution Points.

Certificates issued by public CA do not have this permission, so they cannot be used:

• https://support.kaspersky.com/KSC/13.2/en-US/155201.htm

How to create a pkcs12 file with an ordered certificate chain:

The certificate chain is very important for connecting devices to find out if the ssl certificate is created by a trusted authority.

After that is done do the following:

1. Create an empty file (C:\temp\cert-chain.txt) on your PC and past the following inside it:

-----BEGIN CERTIFICATE-----

(Your Primary SSL certificate from C:\temp\your_domain_name.crt)

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

(Your Intermediate certificate from C:\temp\TheIntermediateCA.crt)

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

(Your Root certificate part from C:\temp\TheTrustedRoot.crt)

-----END CERTIFICATE-----

2. Now replace the content inside the brackets with your certificates (which you can export via XCA; PEM txt format). The order above is VERY important, so do not mix it.

3. Export the private key (unencrypted in text format) with XCA from your certificate and store it inside C:\temp\server.pemkey

4. Now merge everything together as pkcs12 (filename extension for PKCS #12 files is .p12 or .pfx). To do that open a CMD (run as admin) and perform:

openssl pkcs12 -export -inkey C:\temp\server.pemkey -in C:\temp\cert-chain.txt -password pass:ABCD -out C:\temp\certificate(chain_and_key).pfx

5. Your PFX file is now ready to be used. 

KSC - Information about the self-signed certificate:

• The self-signed certificate when installing the KSC has a maximum validity of 1 year (limit of 397 days).
• The Administration Server certificate is created automatically during the installation of the Administration Server component and is saved in the %ALLUSERSPROFILE%\Application Data\KasperskyLab\adminkit\1093\cert folder.
• A new certificate will be generated by the Administration Server as a reserve certificate 90 days before the expiry date of the current certificate. The new certificate automatically replaces the current certificate one day before the expiration date.
• All Network Agents on client devices will be automatically reconfigured to authenticate Administration Server with the new certificate. Clients that do not identify themselves with the Administration Server within 90 days must be reconnected manually. 

Proxy for the web console

The option can be implemented only when installing the web console on another device and accessing the Administration Server.