Jump to content

KSC12 Invalid Administration Server Certificate File


Go to solution Solved by MilanBortel,

Recommended Posts

Posted

I think I’m in trouble, hoping for some help here.

I installed KSC12 and installed a Sectigo certificate a good while back ( a year or so). All has been working great up until yesterday where I started getting an error when opening the KSC Console “Invalid Administration Server Certificate File”.

After some troubleshooting, I found that when I change the date back to 29 May on the server, the KSC console launches just fine. If I set the date to 30 May or beyond, I get the error.

Turns out that effin Sectigo have been issuing certificates using AddTrust External CA Root which coincidently expired 30 May 2020 (https://thesslonline.com/blog/sectigo-addtrust-external-ca-root-expiring-may-30-2020). Why on earth they would issue certificates using that CA for certificates with a validity date beyond 30 May 2020 is a MYSTERY to me to say the least…

My actual certificate is valid until 21 April 2021.

Biggest problem is that even if I change the date back on the KSC server to 29 May and I can get into the KSC console, all the clients are apparently not connecting to KSC. I have 250 machines installed in worldwide locations and don’t have access to most of them physically.

Is there anything I can do to get the clients back on KSC, or is it a total loss?

  • Solution
MilanBortel
Posted

Hi @mfpoulsen,
what a mess, I have to say! Clients are not connecting to KSC, because the certificate is no longer valid obviously.

I can think of 2 ways out:

  1. installing new cert on KSC (see https://support.kaspersky.com/12604#block2)
    - this would not connect hosts back to KSC, since they won’t learn of the new cert.. you’d need to run klmover utility locally on the clients to set up new cert (see https://help.kaspersky.com/KSC/SP3/en-US/3911.htm)
  2. fresh KSC installation (would get new certificate) + reinstalling Network Agents on all clients

Maybe someone here will come up with other workaround..

Cheers,
Milan

Posted

Thanks @MilanBortel 

I managed to get the Administration Server itself up and running again pretty easily. Just edited C:\ProgramData\KasperskyLab\adminkit\1093\cert\klserver.cer and replaced the expired root with the AAA Certificate Services cross-signed certificate that Sectigo made available. After a reboot, the KSC console opens just fine with todays date.

It’s a different story for the clients though. They’re as dead as can be. Brought them back to life by doing these commands on each client:

Windows

Open a DOS prompt or Start --> Run

"%PROGRAMFILES(X86)%\Kaspersky Lab\NetworkAgent\klmover.exe" -address ksc.domain.com/virtualserver -pn 80 -ps 443

Mac

Open Terminal

sudo /Library/Application\ Support/Kaspersky\ Lab/klnagent/Binaries/klmover -address ksc.domain.com/virtualserver -pn 80 -ps 443

Enter the users password

It is a very cruel process to go through though I have to say. If only Sectigo had said something or if only Kaspersky had updated the Network Agent core to use the InCommon certificate chain best practices that’s been around since 2015, it wouldn’t have been a problem (https://its.umich.edu/computing/web-mobile/web-application-hosting/ssl-server-certificates) Now it’s just the perfect storm…

Anyway will cut my losses and move on… Nothing else I can do about it now...

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now


×
×
  • Create New...