How to renew the KSC certificate correctly [KSC for Windows]

[Igor Akhmetov]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

This article is about Kaspersky Security Center for Windows (KSC for Windows)

Problem:

KSC certificate renewal or replacement is made incorrectly because the option to instantly replace the server certificate is used.

There is an article in Online help dedicated to the klsetsrvcert utility (https://support.kaspersky.com/KSC/13.2/en-US/227838.htm). Sometime people follow the instructions according to the example indicated in the article – "klsetsrvcert -t C -i <inputfile> -p <password> -o NoCA" without thinking about the consequences. This leads to the fact that administration agents (nagents) do not receive a new certificate, and the users have to use the klmover utility.

Cause:

After the certificate is renewed with "-t C" option, network agents do not receive a new certificate and have no connection to the server.

Solution:

Run the certificate renewal script using the "-t CR" option (CR — Replace the common reserve certificate for ports 13000 and 13291) and the "-f" option in the <dd.mm.yyyy> format where we indicate the date 3–4 weeks ahead the current one.

The time we set aside for changing the certificate to a backup one will allow a new certificate to be distributed to all Kaspersky Network Agents (Nagent):

-t <type>

Type of certificate to be replaced. Possible values of the <type> parameter: C—Replace the common certificate for ports 13000 and 13291. CR—Replace the common reserve certificate for ports 13000 and 13291. M—Replace the certificate for mobile devices on port 13292. MR—Replace the mobile reserve certificate for port 13292. MCA—Mobile client CA for auto-generated user certificates.

-f <time>

Schedule for changing the certificate, using the format "DD-MM-YYYY hh:mm" (for ports 13000 and 13291). Use this parameter if you want to replace the common or reserve certificate before it expires. Specify the time when managed devices must synchronize with Administration Server on a new certificate.

For example, consider the command "klsetsrvcert.exe -f "DD-MM-YYYY hh:mm" -t CR -g nb.loc". Since this command was used in October, a backup certificate would be created and distributed to all nagents within a month. Thus, the certificate should have been applied on November 1, 2022. 

Let's check if the backup certificate has applied to the host. To do this, using the klscflag utility, enter the command: klscflag.exe -ssvget -pv 1103/1.0.0.0 -s KLNAG_SECTION_CERTDATA -n KLNAG_SSL_SERVER_CERT_RESERVE -ss '|ss_type = \"SS_LOCAL_MACHINE\";'

The certificate has been delivered.
If the backup certificate is not yet delivered to the destination host, we will see the following result of this command:

Known problem:

Problem with Webconsole login - incorrect user or password - see article 

---

Error - Failed to establish connection with the remote device:

This error occurs because we are trying to execute 2 consecutive commands on the same line. The first command is "-t CR -g nb.loc" and the second is "-f '20-12-2023 00:00'". Since the administration server restarts after executing the first command, the second command waits for some timeout before executing. But since in some user configurations, restarting the service can take a long time, the second part is performed when the server has not started yet. Which leads to the above error.

In order to fix this behavior, you need to run the commands separately, according to this scenario:

1. Run .\klsetsrvcert.exe -t CR -g nb.loc
2. Wait until the administration server service starts completely (you can check by connecting the console).
3. Run .\klsetsrvcert.exe -f '20-12-2023 00:00'