Jump to content

How to add a custom certificate for administration server [KSC for Windows]

Recommended Posts

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

Maximum validity of the custom certificate (administration server/web console):

  • A maximum of 5 years can be stored as the maximum validity for the certificate for the administration server
  • The maximum validity for the certificate for the web console cannot exceed 397 days

Two different certificates must be used:

In general, it is important that the custom certificate meets the following requirements:

Certificates issued by public CA do not have this permission, so they cannot be used:

How to create a pkcs12 file with an ordered certificate chain:

The certificate chain is very important for connecting devices to find out if the ssl certificate is created by a trusted authority.

After that is done do the following:

1. Create an empty file (C:\temp\cert-chain.txt) on your PC and past the following inside it:


(Your Primary SSL certificate from C:\temp\your_domain_name.crt)



(Your Intermediate certificate from C:\temp\TheIntermediateCA.crt)



(Your Root certificate part from C:\temp\TheTrustedRoot.crt)


2. Now replace the content inside the brackets with your certificates (which you can export via XCA; PEM txt format). The order above is VERY important, so do not mix it.

3. Export the private key (unencrypted in text format) with XCA from your certificate and store it inside C:\temp\server.pemkey

4. Now merge everything together as pkcs12 (filename extension for PKCS #12 files is .p12 or .pfx). To do that open a CMD (run as admin) and perform:

openssl pkcs12 -export -inkey C:\temp\server.pemkey -in C:\temp\cert-chain.txt -password pass:ABCD -out C:\temp\certificate(chain_and_key).pfx

5. Your PFX file is now ready to be used. 

KSC - Information about the self-signed certificate:

  • The self-signed certificate when installing the KSC has a maximum validity of 1 year (limit of 397 days).
  • The Administration Server certificate is created automatically during the installation of the Administration Server component and is saved in the %ALLUSERSPROFILE%\Application Data\KasperskyLab\adminkit\1093\cert folder.
  • A new certificate will be generated by the Administration Server as a reserve certificate 90 days before the expiry date of the current certificate. The new certificate automatically replaces the current certificate one day before the expiration date.
  • All Network Agents on client devices will be automatically reconfigured to authenticate Administration Server with the new certificate. Clients that do not identify themselves with the Administration Server within 90 days must be reconnected manually. 

Proxy for the web console

The option can be implemented only when installing the web console on another device and accessing the Administration Server.

  • Thanks 1
Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in

Sign In Now

  • Create New...