How to install a custom certificate for the Integration Server in Kaspersky Security for Virtualization 5.x Agentless
When you install the Integration Server, the application generates a local self-signed certificate which is used by the server when establishing SSL connections.
To replace this certificate:
1. Install the new certificate into the system.
You can installt he certificate in one of the following ways:
- Use the command to import the certificate to the storage of the local computer:
certutil -importpfx [pfx file] -p [password]
Example:
certutil -importpfx -p "" cert.p12
- Import the certificate using the MMC console.
The certificate must be installed to the storage on a local computer. In this case the certificate will remain in the system if you remove the Integration Server.
2. Unbind the old certificate from the Integration Server
View the certificate's current binding to Integration Server.
Use the command:
netsh http show sslcert
Example of the command:
SSL Certificate bindings:
-------------------------
IP:port : 10.20.30.40:8078
Certificate Hash : 7b0ef176aa839536686e8484aad0a44058519662
Application ID : {e3aa9184-8518-4486-879a-2c41fd88dba3}
Certificate Store Name : My
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Enabled
IP:port : 0.0.0.0:8070
Certificate Hash : debd6c3c6180397e2c0f56ff27408a259ec59454
Application ID : {5ca18ed0-cbe9-418c-aede-f63f0324113c}
Certificate Store Name : My
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Enabled
You can save the parameters IP:port, Certificate Hash, and Application ID of the current binding so that you can restore the default settings later.
Unbind the certificate from the Integration Server.
Enter the command:
netsh http delete sslcert ipport=[iport]
Example:
netsh http delete sslcert ipport=0.0.0.0:8070
3. Bind the new certificate to the network port
Use the command:
netsh http add sslcert ipport=[ipport] certhash=[certificate hash] appid={013A84E5-92A6-4E26-8904-DD1771EE319D}
- The certhash parameter defines the certificate blueprint.
- The ipport parameter defines the IP address and the port.
- By using the 0.0.0.0, you allow binding to all network adapters. The port number must match the one specified during the installation of the Integration Server.
Example:
netsh http add sslcert ipport=0.0.0.0:8000 certhash=0000000000003ed9cd0c315bbb6dc1c08da5e6 appid={013A84E5-92A6-4E26-8904-DD1771EE319D}
The certificate must contain a private key.
4. Restart the Integration Server.
- Open the Service console (Control Panel → Administrative Tools → Services).
- Find Kaspersky Security for Virtualization Integration Server in the list.
- Open the shortcut menu and select Restart.
