Kaspersky Endpoint Security for Linux

Managing certificates for connecting to KATA servers

Managing certificates requires the rights of a user with the Administrator (admin) role.

You can manage certificates used to connect to KATA servers using commands. What you can do with certificates:

  • Add or replace the server certificate
  • Display information about the server certificate
  • Remove the server certificate
  • Add or replace the client certificate
  • Display information about the client certificate
  • Remove the client certificate

To add or replace the server certificate, run the following command:

kesl-control [-R] --add-kataedr-server-certificate <file path>

where <file path> is the path to the file containing the server certificate.

To add or change a client certificate:

  1. Execute the command:

    kesl-control [-R] --add-kataedr-client-certificate <file path>

    where <file path> is the path to the cryptocontainer (PFX archive) containing the client certificate and private key.

  2. If the cryptocontainer is password-protected, enter the password when prompted.

The client certificate is used for additional protection of the connection to the KATA server if client certificate verification is enabled in KATA server settings and in the Kaspersky Endpoint Detection and Response (KATA) Integration task settings the UseClientPinnedCertificate setting has the value yes.

To display certificate information, run the following command:

  • for the server certificate:

    kesl-control [-R] --query-kataedr-server-certificate

  • for the client certificate:

    kesl-control [-R] --query-kataedr-client-certificate

Running the command displays the following certificate information:

  • certificate serial number
  • certificate subject
  • certificate issuer
  • certificate start date
  • certificate expiration date
  • SHA1 and SHA256 certificate fingerprints

To delete the server certificate information, run the following command:

kesl-control [-R] --remove-kataedr-server-certificate

To delete the client certificate information, run the following command:

kesl-control [-R] --remove-kataedr-client-certificate