Requirements for custom certificates used in Open Single Management Platform

The table below shows the requirements for custom certificates specified for different components of Open Single Management Platform.

Requirements for Open Single Management Platform certificates

Certificate type

Requirements

Comments

Common certificate, Common reserve certificate ("C", "CR")

Minimum key length: 2048.

Basic constraints:

  • Path Length Constraint: None

Key Usage:

  • Digital signature
  • Certificate signing
  • Key encryption
  • CRL Signing

Extended Key Usage (optional): server authentication, client authentication.

Extended Key Usage parameter is optional.

Path Length Constraint value may be an integer different from "None", but not less than 1.

Mobile certificate, Mobile reserve certificate ("M", "MR")

Minimum key length: 2048.

Basic constraints:

  • CA: true
  • Path Length Constraint: None

Key Usage:

  • Digital signature
  • Certificate signing
  • Key encryption
  • CRL Signing

Extended Key Usage (optional): server authentication.

Extended Key Usage parameter is optional.

Path Length Constraint value may be an integer different from "None", if Common certificate has a Path Length Constraint value not less than 1.

Certificate CA for auto-generated user certificates ("MCA")

Minimum key length: 2048.

Basic constraints:

  • CA: true
  • Path Length Constraint: None

Key Usage:

  • Digital signature
  • Certificate signing
  • Key encryption
  • CRL Signing

Extended Key Usage (optional): server authentication, client authentication.

Extended Key Usage parameter is optional.

Path Length Constraint value may be an integer different from "None," if Common certificate has a Path Length Constraint value not less than 1.

Web Server certificate

Extended Key Usage: server authentication.

The PKCS #12 / PEM container from which the certificate is specified includes the entire chain of public keys.

The Subject Alternative Name (SAN) of the certificate is present; that is, the value of the subjectAltName field is valid.

The certificate meets the effective requirements of browsers imposed on server certificates, as well as the current baseline requirements of the CA/Browser Forum.

No.

Kaspersky Security Center Web Console certificate

The PEM container from which the certificate is specified includes the entire chain of public keys.

The Subject Alternative Name (SAN) of the certificate is present; that is, the value of the subjectAltName field is valid.

The certificate meets the effective requirements of browsers to server certificates, as well as the current baseline requirements of the CA/Browser Forum.

Encrypted certificates are not supported by Kaspersky Security Center Web Console.

Intermediate certificate for public Kaspersky Next XDR Expert services

The PEM container that contains the complete certificate chain (or only one certificate) and an unencrypted private key.

The intermediate certificate must be issued by your organization's private key infrastructure (PKI). The validity period for the custom intermediate certificate must be 399 days or more.

No.

See also:

Scenario: Specifying the custom Administration Server certificate
Page top