Kaspersky Security for Virtualization 6.2 Light Agent
6.2
English

Contents

Replacing the Integration Server and SVM certificates

The Kaspersky Security distribution kit includes a certificate management utility for managing Integration Server certificates and SVM certificates. The Integration Server SSL certificate is used when establishing a secure connection with the Integration Server and for encrypting the communication channel between the Protection Server and Light Agent. The SSL certificate of an SVM is used to encrypt the communication channel between Light Agent and the Protection Server.

The certificate management tool lets you:

  • Create an Integration Server certificate.
  • Replace the self-signed Integration Server certificate installed during solution deployment.

    When the Integration Server certificate is replaced, the SVM certificate is automatically replaced. A new SVM certificate is created based on the Integration Server certificate.

Certificates may need to be replaced in the following cases:

  • When upgrading the solution in order to replace a previously installed certificate with a more secure one.
  • If the used certificate has expired or has been compromised.
  • If the IP address or domain name of the device on which the Integration Server is installed has changed.

You can replace the Integration Server certificate with a new certificate created using the tool or using third-party tools. If you want to use an Integration Server certificate created using third-party tools, make sure that the new certificate meets the tool's certificate requirements.

The Integration Server certificate must meet the following requirements:

  • PFX format.
  • The certificate contains the private key.
  • The certificate is password protected.
  • The "Subject alternative name" field contains the following values:
    • IP Address – external and local IP addresses of the Integration Server;
    • DNS Name – external and local IP addresses, as well as the domain name (FQDN) of the Integration Server.
  • Key Usage:
    • KeyEncipherment;
    • DigitalSignature;
    • DataEncipherment;
    • KeyCertSign.
  • Enhanced Key Usage:
    • Server Authentication (1.3.6.1.5.5.7.3.1);
    • Client Authentication (1.3.6.1.5.5.7.3.2).
  • The certificate expiration date is later than the current date.
  • Key algorithm: RSA (1.2.840.113549.1.1.1).
  • Key size: 4096 bits.
  • Allowed signature algorithms:
    • Sha256WithRSA (1.2.840.113549.1.1.11);
    • Sha384WithRSA (1.2.840.113549.1.1.12);
    • Sha512WithRSA (1.2.840.113549.1.1.13).

The certificate management tool can work with the Linux-based Integration Server and with the Windows-based Integration Server. The tool is located on the device where the Integration Server is installed. Depending on the operating system of the device, the utility is located at one the following paths:

  • /opt/kaspersky/viis/bin/certificate_manager.sh – on devices with Linux operating systems
  • %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA\certificate_manager.exe – on devices with Windows operating systems

To use the utility in the Linux operating system, the user account must be in the sudoers group. To use the utility in the Windows operating system, Administrator rights in the operating system are required.

How to use the utility to create a certificate for the Linux-based Integration Server

On the device where the Integration Server is installed, run the command:

sudo /opt/kaspersky/viis/bin/certificate_manager.sh create-self-signed-certs --outputFolder <path to the directory with the certificate> [--keySize <2048 or 4096>] [--quiet]

where:

  • <path to the directory with the certificate> – path to the directory where the created certificate will be placed. The directory must be located on the device where the Integration Server is installed.
  • --keySize <2048 or 4096> is the certificate key length. Optional parameter. If this parameter is not specified, 4096 is used by default.
  • --quiet is an optional parameter. If the parameter is specified, the utility will run in silent mode: nothing will be output to the console.

The command will cause the utility to create an Integration Server certificate (viis.pfx file) and place it in the specified directory.

It is recommended to protect the certificate from unauthorized access. For example, you can place the certificate in a secure directory.

How to use the utility to create a certificate for the Windows-based Integration Server

On the device where the Integration Server is installed, run the command:

%ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA\certificate_manager.exe create-self-signed-certs --outputFolder <path to the folder with the certificate> [--keySize <2048 or 4096>] [--quiet]

where:

  • <path to the folder with the certificate> is the path to the folder where the created certificate will be placed. The folder must be located on the device where the Integration Server is installed.
  • --keySize <2048 or 4096> is the certificate key length. Optional parameter. If this parameter is not specified, 4096 is used by default.
  • --quiet is an optional parameter. If this parameter is specified, the input console window is closed after the command is executed, otherwise the console window remains open.

The command will cause the utility to create an Integration Server certificate (viis.pfx file) and place it in the specified folder.

It is recommended to protect the certificate from unauthorized access. For example, you can place the certificate in a secure folder.

How to replace the Linux-based Integration Server certificate and SVM certificate

On the device where the Integration Server is installed, run the command:

sudo /opt/kaspersky/viis/bin/certificate_manager.sh replace --certificatePath <path to certificate> [--quiet]

where:

  • <path to certificate> is the path to the Integration Server certificate (viis.pfx file).
  • --quiet is an optional parameter. If the parameter is specified, the utility will run in silent mode: nothing will be output to the console.

As a result of executing the command, the tool performs the following actions:

  • Creates an SVM certificate based on the certificate located in the specified folder.
  • Replaces the previously installed Integration Server certificate and SVM certificate with new ones.
  • Restarts the Integration Server service.

How to replace the Windows-based Integration Server certificate and SVM certificate

On the device where the Integration Server is installed, run the command:

% ProgramFiles (x86)%\Kaspersky Lab\Kaspersky VIISLA\certificate_manager.exe replace --certificatePath <path to certificate>

where <path to certificate> is the path to the Integration Server certificate (viis.pfx file).

As a result of executing the command, the tool performs the following actions:

  • Creates an SVM certificate based on the certificate located in the specified folder.
  • Replaces the previously installed Integration Server certificate and SVM certificate with new ones.
  • Restarts the Integration Server service.

After replacing the Integration Server certificate and SVM certificate, you need to update all Light Agent policies and Protection Server policies to send the public key of the new certificate to the policies.

Trace files may be created while the certificate management tool is running.

Page top
[Topic 97888]