How to replace pinned TLS Certificate [KATA/KEDRE]

[Antipova Anna]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

KATA / EDR is using only one certificate for all connections (like WebServer and Client Connections). When you plan to replace it, do it in an early stage of deployment.

If you want to replace the TLS certificate, you will need to:

• Reauthorize mail sensors (KSMG, KLMS) on Central Node.
• Reconfigure connection of Central Node, PCN and SCN to Sandbox.
• Reconfigure Endpoint Agent traffic redirection to Sensor and trusted connection with Endpoint Agent.
• Upload a new certificate in Active Directory (if you use it in Active Directory).

Prepared TLS certificate must satisfy the following requirements:

• The file must contain the certificate itself and a private encryption key for the connection. To generate a pem from your PKI PFX you can use the following command:

openssl pkcs12 -in mySecureCertificate.pfx -out kata.pem -nodes

• The file must be in PEM format.
• The private key length must be 2048 bits or longer.

After replacing the certificate don't forget to replace it in KEA Policy → KATA Integration → KATA Integration Settings → Add new TLS certificate (not the Add Client certificate).

The certificate you specify needs to be in CRT Format. You can get it by "Downloading" the Certificate from CN → Settings → General Settings → Download.