How to replace iOS MSM Server Client Root Certificate [KSC for Windows]

[Antipova Anna]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

Problem

There is no mechanism to replace client root certificate used for iOS MDM via reserve certificate. 

That's why replacing the client root certificate used for iOS MDM will cause iOS MDM server to lose synchronization with all devices.

Details of active certificate can be viewed in the properties of iOS MDM server, on the "Certificates' tab.

Step-by-step guide

The iOS MSM Server Client Root certificate replacement procedure includes the following steps:

1. Backup iOS MDM Server configuration via kliosbackup utility: kliosbackup -backup(-restore) -path BACKUP_PATH [-pwd PASSWORD]
2. Backup Kaspersky Security Center configuration via klbackup utility or ‘Backup of Administration Server data’ task;
3. Create a new certificate in the PKCS#12 format using the PKI infrastructure;

4. Submit the certificate to the input of the klsetsrvcert tool just the same way as it is described in the corresponding Kaspersky Security Center versions online help articles (for example, for KSC 14.2: https://support.kaspersky.com/KSC/14.2/en-US/227838.htm😞

   klsetsrvcert -t MCA {-i <inputfile> [-p <password>] | -g <dnsname>} [-l <logfile>].

These actions will update the iOS MSM Server Client Root certificate, you may check C:\ProgramData\KasperskyLab\adminkit\1093\cert\klsrvmdm.cer to make sure that a new one certificate has been installed.

Recommendations:

• Validity: up to 5 years
• Key length: 4096 bits (2048 bits is also possible, but for a five-year certificate it is still better to use 4096)
• Setting the EKU (Extended Key Usage) for this certificate in Client Authentication

Automatic replacement of the client root certificate used for iOS MDM and issued through Administration server tools has been implemented since KSC 12.2 and higher.