Kaspersky Security Center 14

Replacing the Administration Server certificate by using the klsetsrvcert utility

26 February 2024

ID 227838

To replace the Administration Server certificate:

From the command line, run the following utility:

klsetsrvcert [-t <type> {-i <inputfile> [-p <password>] [-o <chkopt>] | -g <dnsname>}][-f <time>][-r <calistfile>][-l <logfile>]

You do not need to download the klsetsrvcert utility. It is included in the Kaspersky Security Center distribution kit. It is not compatible with previous Kaspersky Security Center versions.

The description of the klsetsrvcert utility parameters is presented in the table below.

Values of the klsetsrvcert utility parameters

Parameter

Value

-t <type>

Type of certificate to be replaced. Possible values of the <type> parameter:

  • C—Replace the common certificate for ports 13000 and 13291.
  • CR—Replace the common reserve certificate for ports 13000 and 13291.
  • M—Replace the certificate for mobile devices on port 13292.
  • MR—Replace the mobile reserve certificate for port 13292.
  • MCA—Mobile client CA for auto-generated user certificates.

-f <time>

Schedule for changing the certificate, using the format "DD-MM-YYYY hh:mm" (for ports 13000 and 13291).

Use this parameter if you want to replace the common or common reserve certificate before it expires.

Specify the time when managed devices must synchronize with Administration Server on a new certificate.

-i <inputfile>

Container with the certificate and a private key in the PKCS#12 format (file with the .p12 or .pfx extension).

-p <password>

Password used for protection of the p12 container.

The certificate and a private key are stored in the container, therefore, the password is required to decrypt the file with the container.

-o <chkopt>

Certificate validation parameters (semicolon separated).

To use a custom certificate without signing permission, specify -o NoCA in the klsetsrvcert utility. This is useful for certificates issued by a public CA.

-g <dnsname>

A new certificate will be created for the specified DNS name.

-r <calistfile>

Trusted root Certificate Authority list, format PEM.

-l <logfile>

Results output file. By default, the output is redirected into the standard output stream.

For example, to specify the custom Administration Server certificate, use the following command:

klsetsrvcert -t C -i <inputfile> -p <password> -o NoCA

After the certificate is replaced, all Network Agents connected to Administration Server through SSL lose their connection. To restore it, use the command-line klmover utility.

Automatically reissuing mobile certificates is not supported. We recommend that you specify a new mobile certificate when the existing one is about to expire. If the mobile certificate expires and the mobile reserve certificate is not specified, the connection between Administration Server and Network Agent instances installed on managed mobile devices will be lost. In this case, to reconnect managed mobile devices, you must specify a new mobile certificate and reinstall Kaspersky Security for Mobile on each managed mobile device.

To avoid losing the Network Agents connections, use the following commands:

  1. klsetsrvcert.exe -t CR -i <inputfile> -p <password> -o NoCA to install the new certificate.
  2. klsetsrvcert.exe -f "DD-MM-YYYY hh:mm" to specify the date when the new certificate will be applied.

where "DD-MM-YYYY hh:mm" is the date 3–4 weeks later than the current date. The time shift for changing the certificate to the new one will allow the new certificate to be distributed to all Network Agents.

See also:

Scenario: Specifying the custom Administration Server certificate

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.