Managing the SSL certificate of the cluster node

3 July 2024

ID 234112

By default, Kaspersky Secure Mail Gateway 2.0 MR1 uses a self-signed certificate automatically generated during cluster node deployment as the SSL certificate of the cluster node. When logging in to the application web interface with this certificate, the browser displays an insecure connection warning. For convenience and improved security, when using the web interface, you can replace the default certificate of the node with a certificate issued by a trusted certification authority.

To replace the SSL certificate of a cluster node, you will need the following files:

  • A certificate file in the X.509 format with the PEM extension or a container file with a certificate chain in the X.509 format with the PEM extension
  • An RSA private key file with the PEM extension (without a passphrase)

You can prepare the private key file and the certificate on your own, or alternatively you can obtain ready-to-use files from a certification authority.

Steps involved in replacing the SSL certificate of the cluster node and creating the private key and certificate files on your own

  1. Creating a private key file and a Certificate Signing Request

    You will receive one of the following files from the certification authority:

    • Signed X.509 certificate file with the CER or CRT extension
    • PKCS#7 certificate chain file with the P7B extension The file includes the website certificate signed at your request as well as certificates of intermediate certificate authorities.
  2. Converting obtained files into the PEM encoding

    Depending on the type of the file obtained at the previous step, do one of the following:

  3. Replacing the SSL certificate of a cluster node

Steps involved in replacing the SSL certificate of the cluster node using private key and certificate files provided by a certification authority

  1. Obtaining private key and certificate files from the certification authority

    The private key and certificates are provided as a PFX container (PKCS#12 format, PFX or P12 extension).

    If your organization uses the Active Directory Certification Services service as the certification authority, use the Web Server template to create the certificate. Save the result as a certificate chain in the DER encoding.

  2. Extracting certificate and private key files from a PFX container
  3. Replacing the SSL certificate of a cluster node

In this section

Creating an SSL certificate signature request file

Converting a certificate from the DER encoding to the PEM encoding

Extracting the certificate chain from a PKCS#7 container

Extracting certificate and private key files from a PFX container

Replacing the SSL certificate of a cluster node

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.