Configuring certificate issuance rules
Kaspersky Security Center Web Console lets you configure how the certificates for mobile devices are issued, renewed, and protected.
To configure certificate issuance rules:
- In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Mobile → Certificates.
- In the list of certificates that opens, click Issuance rules.
- In the PKI settings section:
- In the Integration with PKI block of settings, enable the Integrate issuance of certificates with Microsoft Certification Authority (CA) via PKI toggle switch to issue certificates automatically following integration.
Click Select device, and then specify a device with Network Agent installed that will connect to Microsoft CA.
For detailed information on PKI, refer to the Integration with Public Key Infrastructure section.
- In the Domain account for transmitting requests to issue certificates block of settings, specify the PKI account name (the name of the user account to be used for PKI integration in the
userPrincipalName@DNSDomainNameformat) and Password (the domain password for the account). - Click Save to apply the changes.
- In the Integration with PKI block of settings, enable the Integrate issuance of certificates with Microsoft Certification Authority (CA) via PKI toggle switch to issue certificates automatically following integration.
- In the Mobile certificates section, you can do the following:
- In the Validity block of settings, in the Certificate validity period (days) field, specify the certificate lifetime in days. The default lifetime of a certificate is 365 days. When this period expires, the mobile device will not be able to connect to the Administration Server.
- In the Renewal block of settings, in the Renew certificate before it expires in (days) field, specify the number of days remaining until the current certificate's expiration when Administration Server should issue a new certificate. For example, if the value of the field is 4, Administration Server issues a new certificate four days before the current certificate expires. The default value is 30.
Select the Renew certificate automatically check box to renew certificates automatically. If this option is disabled, certificates must be renewed manually as they expire. This check box is selected by default.
- In the Password protection block of settings, select the Prompt for password during certificate installation check box to prompt the user for a password when the certificate is installed on a mobile device. The password is used only once during the installation of the certificate on the mobile device. The password will be automatically generated by Administration Server and sent to the user by email. You can specify the password length in the Password length field.
Password protection is only available for mobile certificates.
- Click Save to apply the changes.
- In the Mail certificates and VPN certificates sections, if PKI integration is configured:
- In the Renewal block of settings, in the Renew certificate before it expires in (days) field, specify the number of days remaining until the current certificate's expiration when Administration Server should issue a new certificate. For example, if the value of the field is 4, Administration Server issues a new certificate four days before the current certificate expires.
Select the Renew certificate automatically check box to renew certificates automatically. If this option is disabled, certificates must be renewed manually as they expire. This check box is selected by default.
- In the PKI settings block of settings, specify the Certificate template name in PKI (the certificate template that will be used to issue certificates to domain users).
The Network Agent for Windows service installed on a device which connects to CA is run under the specified user account. This service is responsible for issuing users' domain certificates. The service is run when the list of certificate templates is loaded by clicking the Refresh list button or when a certificate is generated.
When connecting a non-domain user's mobile device (running either Android or iOS) to Kaspersky Security Center, the attempt to issue a certificate may fail.
- In the Automatic issuance of mail certificate on device connection and Automatic issuance of VPN certificate on device connection blocks of settings, select the Issue for devices managed by Kaspersky Endpoint Security for Android or Issue for iOS MDM devices check boxes to enable automatic issuance of a mail or VPN certificate when devices connect to Kaspersky Security Center.
If you selected the Issue for iOS MDM devices check box, choose the certificate alias from the drop-down list. The certificate alias is a name that identifies the certificate. You can configure the subsequent use of the selected alias for the certificate issuance in the following policy sections:
- For mail certificates: in the properties of the Email account for iOS MDM devices and in the properties of the Exchange ActiveSync account for iOS MDM devices.
- For VPN certificates: in the properties of the VPN network for iOS MDM devices and in the properties of the Wi-Fi network for iOS MDM devices.
You can also change the alias for individual or multiple mail and VPN certificates by clicking Modify alias in the list of certificates (Assets (Devices) → Mobile → Certificates).
- Click Save to apply the changes.
- In the Renewal block of settings, in the Renew certificate before it expires in (days) field, specify the number of days remaining until the current certificate's expiration when Administration Server should issue a new certificate. For example, if the value of the field is 4, Administration Server issues a new certificate four days before the current certificate expires.
- In the PKI settings section:
The specified settings will be used by Kaspersky Security Center to issue, renew, and protect the certificates of mobile devices.