Managing Kaspersky Thin Client certificates through the Web Console

In Kaspersky Security Center, you can access certificate management functions to connect thin clients to a log server and to a remote environment. In the Kaspersky Security Center Web Console interface you can view, add, and delete such certificates.

You are advised to configure the connection of a group of thin clients to a log server or to a remote environment only using certificates that were assigned by the administrator in the Web Console. This will help prevent Kaspersky Thin Client from connecting to untrusted nodes.

This section also provides instructions on how to manage certificates for connecting Kaspersky Thin Client to Kaspersky Security Center.

About a certificate for connecting Kaspersky Thin Client to Kaspersky Security Center

Kaspersky Thin Client uses a user mobile certificate (hereinafter also referred to as "certificate") to connect to Kaspersky Security Center. For detailed information about this and other types of certificates used by Kaspersky Security Center, see the About certificates section of the Kaspersky Security Center Online Help.

The certificate is created using the Administration Server quick start wizard after installing Kaspersky Security Center. The default validity period of an issued certificate is one year.

User mobile certificates are not reissued automatically.

You can reissue the certificate in the Web Console or create a new certificate manually and upload it to the Web Console.

When migrating to a new Kaspersky Security Center Administration Server, create a new certificate manually in order to upload it to the current Server as a reserve certificate and then to the new Server as the primary certificate.

Reissuing a certificate for connecting Kaspersky Thin Client to Kaspersky Security Center using the Web Console

Kaspersky Thin Client uses a user mobile certificate to connect to Kaspersky Security Center. Certificates of this type are not automatically reissued.

To reissue a certificate for connecting Kaspersky Thin Client to Kaspersky Security Center in the Web Console interface:

1. In the menu of the Kaspersky Security Center Web Console, click the icon next to the name of the Kaspersky Security Center Administration Server.

   The Administration Server properties window opens.

2. In the list of subsections, select Certificates.
3. In the window that opens, in the Administration Server authentication by mobile devices section, select the required certificate and click Reissue.
4. In the window that opens, specify the Server address and indicate when to activate the certificate. Confirm your choice.
5. Click Save in the window that opens.

The certificate for connecting Kaspersky Thin Client to Kaspersky Security Center is reissued.

Managed devices and devices included in the administration group receive the reissued certificate for connecting to Kaspersky Security Center after Kaspersky Thin Client is synchronized with Kaspersky Security Center. The reissued certificate is saved to the Kaspersky Thin Client certificate storage and can be used as a reserve one to connect thin clients to Kaspersky Security Center when the currently used certificate expires.

You can also manually issue a new certificate to connect Kaspersky Thin Client to Kaspersky Security Center.

Creating a certificate for connecting Kaspersky Thin Client to Kaspersky Security Center

You can manually create a certificate for connecting Kaspersky Thin Client to Kaspersky Security Center. The created certificate can be used as a primary or a reserve one, for example, when migrating to a new Kaspersky Security Center Administration Server.

We recommend familiarizing yourself with the requirements for Kaspersky Security Center certificates stated in the Requirements for custom certificates used in Kaspersky Security Center section of the Kaspersky Security Center Online Help.

The created certificate must be uploaded to the Web Console.

To create a certificate for connecting Kaspersky Thin Client to Kaspersky Security Center using the OpenSSL tool:

1. Start the console and go to the folder in which you want to create the certificate.
2. In the console, start the OpenSSL tool and run the following command:

   openssl req -x509 -newkey rsa:2048 -keyout key.pem -out server.pem -days 397 -subj '/CN=mydomain.ru/C=RU/L=Moscow/O=My Organization Name/OU=My Organization Unit Name' -addext "keyUsage = digitalSignature, keyEncipherment, dataEncipherment, cRLSign, keyCertSign" -addext "extendedKeyUsage = serverAuth, clientAuth"

   where:

   • -keyout key.pem is a name of the file in which the private key of the created certificate will be saved.
   • -out server.pem is a name of the file in which the created certificate will be saved.
   • -days is a setting that defines the validity term of the created certificate, in days. We recommend setting a certificate validity term of no more than 397 days.
   • -subj '/CN=mydomain.ru/C=RU/L=Moscow/O=My Organization Name/OU=My Organization Unit Name' is data of your organization: domain name, location, name.
3. Enter and confirm the password for the private certificate key. This password will need to be entered when uploading the user certificate to the Web Console as a mobile certificate. Minimum password length: 8 characters.

As a result, the following two files will be created in the folder where you ran the command:

• server.pem is a certificate file for connecting Kaspersky Thin Client to Kaspersky Security Center.
• key.pem is a private key of the certificate for connecting Kaspersky Thin Client to Kaspersky Security Center.

If necessary, you can convert a certificate file from PEM to DER format.

Uploading a certificate for connecting Kaspersky Thin Client to Kaspersky Security Center using the Web Console

After you create a certificate to connect Kaspersky Thin Client to Kaspersky Security Center, upload this certificate to the Web Console for transfer to the managed thin clients.

It is recommended to familiarize yourself with the requirements for Kaspersky Security Center certificates in the Requirements for custom certificates used in Kaspersky Security Center section of the Kaspersky Security Center Online Help.

To upload a certificate to the Web Console for connecting Kaspersky Thin Client to Kaspersky Security Center:

1. In the menu of the Kaspersky Security Center Web Console, click the icon next to the name of the Kaspersky Security Center Administration Server.

   The Administration Server properties window opens.

2. In the list of subsections, select Certificates.
3. In the window that opens, in the Administration Server authentication by mobile devices block, select Other certificate and click the Manage certificate button.
4. In the panel that opens on the right, click Browse and do the following:
   1. In the Certificate type drop-down list, select X.509 certificate.
   2. If the user certificate is protected with a password, enter the password.
   3. Select the user certificate file by clicking the Browse button in the Certificate block.
   4. Select the private key for the user certificate by clicking the Browse button in the Private key block.
5. Click Save to save the certificate being added.
6. Click Save to save the changes you made in the Certificates subsection.

The certificate for connecting Kaspersky Thin Client to Kaspersky Security Center will be uploaded to the Web Console. Managed devices and devices included in the administration group receive the new certificate after Kaspersky Thin Client is synchronized with Kaspersky Security Center.

Adding new certificates in the Web Console

For thin clients that are included in an

After adding a certificate for a thin client in the Web Console, all certificates that were previously accepted by a user will be removed from the device certificate store.

To add new certificates through the Web Console:

1. In the main window of the Web Console, select Devices → Policies & profiles.
2. Click the policy name for the Kaspersky Security Management Suite web plug-in.
3. In the window that opens, select the Application settings tab.
4. Select the Certificates section.
5. In the Valid certificates table, click the Add button in the upper part of the table.
6. In the panel that opens on the right, select all certificates that were previously uploaded and select the new certificates. The total size of the uploaded files must not exceed 1 MB. You can upload certificates only in DER format. Each certificate file must contain only one certificate. If necessary, you can convert certificates from PEM to DER format in advance.
7. Click OK to confirm the upload of the selected certificates.

The selected certificates will be uploaded and information about them will be displayed in the Valid certificates table.

If the added certificate is a root certificate, the connection will be established based on the server domain name only.

Removing certificates from the Web Console

In the Web Console, you can remove certificates for thin clients that are included in an administration group.

If you remove all certificates that were assigned to a group of thin clients, the devices from this group will be able to connect to any server, including servers that have not been assigned any certificates.

To remove certificates:

1. In the main window of the Web Console, select Devices → Policies & profiles.
2. Click the policy name for the Kaspersky Security Management Suite web plug-in.
3. In the window that opens, select the Application settings tab.
4. Select the Certificates section.
5. In the Valid certificates table, select the check boxes next to the certificates that you need to remove.
6. Click Delete and confirm deletion.

The selected certificates will be removed.

Converting a certificate from PEM to DER format

Kaspersky Security Management Suite supports uploading of certificates only in DER format. You can convert a certificate file from PEM to DER format.

To carry out these instructions on the local computer, you must have the OpenSSL tool.

To convert a certificate file from PEM to DER format:

1. Start the console on the local computer.
2. Go to the folder containing the PEM certificate file and run the following file conversion command:

   openssl x509 -outform der -in <certificate file name>.pem -out <certificate file name>.der

   where:

   • <certificate file name>.pem is the original certificate file name in PEM format.
   • <certificate file name>.der is the converted certificate file name in DER format.

The new certificate file in DER format will be generated in this same folder.

Updating a certificate when migrating to a new Kaspersky Security Center Server

To migrate thin clients to a new Kaspersky Security Center Administration Server, issue a certificate, save it on the current Kaspersky Security Center Server as a reserve one, and then use it on the new Server as the primary certificate.

To issue and prepare a new certificate:

1. Start the console and go to the folder in which you want to create the certificate.
2. Run the OpenSSL utility and issue the certificate using the following command:

   openssl req -x509 -sha256 -nodes -days 397 -newkey rsa:2048 -keyout <key file name>.key -out <certificate file name>.crt

   The generated certificate and key files are saved locally.

3. Package the certificate and the key into a container using the following command:

   openssl pkcs12 -export -out -<container name>.pfx -inkey <key file name>.key -in <certificate file name>.crt

4. Enter and repeat the password for the container. This password is required when uploading the certificate to the servers.

As a result, the container file in PFX format is saved locally.

To upload a certificate to the current Kaspersky Security Center Server as a reserve one:

1. Go to the folder where Kaspersky Security Center is installed and launch the console.
2. Run the klsetsrvcert utility and enter the following command:

   klsetsrvcert -t MR -i <path to the container> -p <container password> -o NoCA

   You do not need to download the klsetsrvcert utility. The utility is included in the Kaspersky Security Center distribution kit.

   After the command execution, Kaspersky Security Center restarts.

The reserve certificate is uploaded to the Web Console.

To upload the certificate to a new Kaspersky Security Center Server as the main one:

In the console, start the klsetsrvcert utility and run the following command:

klsetsrvcert -t M -i <path to the container> -p <container password> -o NoCA

After execution of the instructions above, the certificate for connecting to the new Kaspersky Security Center Administration Server is updated.