Encrypted connection to an Administration Server

Data exchange between client devices and Administration Server, as well as Administration Console connection to Administration Server, can be performed using the TLS (Transport Layer Security) protocol. The TLS protocol can identify the interacting parties, encrypt the data that is transferred, and protect data against modification during transfer. The TLS protocol uses public keys to authenticate the interacting parties and encrypt data.

Authenticating Administration Server when a device is connected

When a client device connects to Administration Server for the first time, Network Agent on the device downloads a copy of the Administration Server certificate and stores it locally.

If you install Network Agent on a device locally, you can select the Administration Server certificate manually.

The downloaded copy of the certificate is used to verify Administration Server rights and permissions during subsequent connections.

During future sessions, Network Agent requests the Administration Server certificate at each connection of the device to Administration Server and compares it with the local copy. If the copies do not match, the device is not allowed access to Administration Server.

Administration Server authentication during Administration Console connection

At the first connection to Administration Server, Administration Console requests the Administration Server certificate and saves it locally on the administrator's workstation. After that, each time when Administration Console tries to connect to this Administration Server, the Administration Server is identified based on the certificate copy.

If the Administration Server certificate does not match the copy stored on the administrator's workstation, Administration Console prompts you to confirm connection to the Administration Server with the specified name and download a new certificate. After the connection is established, Administration Console saves a copy of the new Administration Server certificate, which will be used to identify the Administration Server in the future.

About Administration Server certificate

Two operations are performed based on the Administration Server certificate: Administration Server authentication during connection by Administration Console and data exchange with devices. The certificate is also used for authentication when the primary Administration Servers are connected to secondary Administration Servers.

Certificate issued by Kaspersky

The Administration Server certificate is created automatically during installation of the Administration Server component and it is stored in the %ALLUSERSPROFILE%\Application Data\KasperskyLab\adminkit\1093\cert folder.

The Administration Server certificate is valid for five years, if the certificate was issued before September 1, 2020. Otherwise, the certificate validity term is limited to 397 days. A new certificate is generated by the Administration Server as the reserve certificate 90 days before the expiration date of the current certificate. Subsequently, the new certificate automatically replaces the current certificate one day before the expiration date. All Network Agents on the client devices are automatically reconfigured to authenticate the Administration Server with the new certificate.

Custom certificates

If necessary, you can assign a custom certificate for the Administration Server. For example, this may be necessary for better integration with the existing PKI of your enterprise or for custom configuration of the certificate fields.

The maximum validity period for any of the Administration Server certificates must be 397 days or less.

When replacing the certificate, all Network Agents that were previously connected to Administration Server through SSL, will lose their connection and will return "Administration Server authentication error." To eliminate this error, you will have to restore the connection after the certificate replacement.

If the Administration Server certificate is lost, you must reinstall the Administration Server component, and then restore the data in order to recover it.