Generating or uploading a TLS certificate of the server

If you are already using a server TLS certificate, generating or uploading a new certificate causes the currently used certificate to be removed and replaced with the new certificate.

You must enter the data of the new certificate everywhere the old certificate was used.

If you replace the TLS certificate, you will need to

• Reauthorize mail sensors (KSMG, KLMS) on Central Node.
• Reconfigure the connection of Central Node, PCN, and SCN to Sandbox.
• Reconfigure traffic forwarding from Endpoint Agent to Sensor and trusted connection with Endpoint Agent.
• Upload a new certificate to Active Directory (if you are using Active Directory).

Please delete all Endpoint Agent host isolation rules. Connection with the isolated hosts and control over them will be lost.

You can generate a new certificate in the web interface: of the Central Node server or upload a certificate that you have created independently.

If you are using the distributed solution and multitenancy mode, use the web interface of the PCN or SCN server for which you want to configure parameters.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

To generate a TLS certificate for a Central Node server:

1. Sign in to the Kaspersky Anti Targeted Attack Platform web interface with the administrator credentials.
2. In the window of the application web interface, select the Settings section, Certificates subsection.
3. In the Server certificate section, click Generate.

   This opens the action confirmation window.

4. Click Yes.

Kaspersky Anti Targeted Attack Platform generates a new TLS certificate. The page is automatically refreshed.

Communication with the mail sensors, the Sandbox component, and the Kaspersky Endpoint Agent application is interrupted until reauthorization.

You can choose to prepare the TLS certificate on your own and upload it using the Kaspersky Anti Targeted Attack Platform web interface.

The TLS certificate file prepared for upload must satisfy the following requirements:

• The file must contain the certificate itself and a private encryption key for the connection.
• The file must be in PEM format.

  The application does not support other formats of certificates.

  If you have prepared a certificate in a different format, you must convert it to the PEM format.

• The private key length must be 2,048 bits or longer.

For more details on preparing TLS certificates for import, please refer to the documentation on Open SSL.

Upload the TLS certificate in the web interface of the PCN or SCN server to which you want to upload the certificate.

To upload a prepared TLS certificate using the Kaspersky Anti Targeted Attack Platform web interface:

1. Sign in to the Kaspersky Anti Targeted Attack Platform web interface with the administrator credentials.
2. In the window of the application web interface, select the Settings section, Certificates subsection.
3. In the Server certificate section, click Upload.

   This opens the file selection window.

4. Select a TLS certificate file to download and click the Open button.

   This closes the file selection window.

The TLS certificate is added to the Kaspersky Anti Targeted Attack Platform.

Communication with the mail sensors, the Sandbox component, and the Kaspersky Endpoint Agent application is interrupted until reauthorization.