Managing Kaspersky Thin Client security certificates through the Web Console

You can use the Web Console to manage security certificates for a group of devices that have the Kaspersky Thin Client operating system installed. You can view valid certificates, add certificates, or delete them.

After security certificates for connecting to remote desktops or to a log server are added in the Kaspersky Security Center Web Console, thin clients in the administration group will switch to trusted mode. In this case, you will not be able to add certificates through the Kaspersky Thin Client interface.

In the Certificates section, the following information is displayed for each valid certificate:

• File name shows a certificate file name and its format.
• Issuer name shows information about the organization that issued the certificate.
• Subject name shows information about the application for which the certificate was issued.
• Valid from shows a start date of certificate validity.
• Valid to shows an end date of certificate validity.
• Certificate fingerprint shows certificate hash calculated from all certificate details and its signature.

You can sort the list of certificates based on their validity start and end dates, issuer and subject names.

About the reserve certificate for connecting Kaspersky Thin Client to Kaspersky Security Center

To connect to Kaspersky Security Center, Kaspersky Thin Client uses a mobile certificate of the Kaspersky Security Center Administration Server. This mobile certificate is created by using the Administration Server quick start wizard after installing Kaspersky Security Center. The default validity period of an issued certificate is one year. When connecting to Kaspersky Security Center, Kaspersky Thin Client checks the validity of the certificate. If necessary, you can issue a new (reserve) mobile certificate or configure a rule for issuing certificates. For details on creating a new mobile certificate for the Kaspersky Security Center Administration Server, see the Working with certificates of mobile devices section and the Reissuing the Web Server certificate section of the Kaspersky Security Center Online Help Guide. For details on configuring rules for issuing certificates, see the Configuring certificate issuance rules section of the Kaspersky Security Center Online Help Guide.

Managed devices and devices included in an administration group will receive the new (reserve) certificate for connecting Kaspersky Thin Client to Kaspersky Security Center after Kaspersky Thin Client synchronizes with Kaspersky Security Center. The new (reserve) certificate will be saved in the Kaspersky Thin Client certificate store and will be used to connect thin clients to Kaspersky Security Center when the currently used certificate expires.

You can also issue a user certificate for connecting Kaspersky Thin Client to Kaspersky Security Center. In this case, the created user certificate must be uploaded to the Web Console as the mobile certificate. For detailed information about the requirements applied to Kaspersky Security Center user certificates, see the Requirements for custom certificates used in Kaspersky Security Center section of the Kaspersky Security Center Online Help Guide.

Creating a user certificate for connecting Kaspersky Thin Client to Kaspersky Security Center

You can use a user certificate for connecting Kaspersky Thin Client to Kaspersky Security Center. For detailed information about the requirements applied to Kaspersky Security Center certificates, see the Requirements for custom certificates used in Kaspersky Security Center section of the Kaspersky Security Center Online Help Guide. We recommend using a user certificate when migrating a group of devices running Kaspersky Thin Client to a new Kaspersky Security Center Administration Server. After the user certificate is created, it must be uploaded to the Web Console as a mobile certificate. You can use the OpenSSL tool to create a user certificate.

To create a user certificate for connecting Kaspersky Thin Client to Kaspersky Security Center using the OpenSSL tool:

1. Start the console and go to the folder in which you want to create the certificate.
2. In the console, start the OpenSSL tool and run the following command:

   openssl req -x509 -newkey rsa:2048 -keyout key.pem -out server.pem -days 729 -subj '/CN=mydomain.ru/C=RU/L=Moscow/O=My Organization Name/OU=My Organization Unit Name' -addext "keyUsage = digitalSignature, keyEncipherment, dataEncipherment, cRLSign, keyCertSign" -addext "extendedKeyUsage = serverAuth, clientAuth"

   where:

   • -keyout key.pem is a name of the file in which the private key of the created certificate will be saved.
   • -out server.pem is a name of the file in which the created certificate will be saved.
   • -days is a setting that defines the validity term of the created certificate, in days. We recommend setting a certificate validity term of no more than 729 days.
   • -subj '/CN=mydomain.ru/C=RU/L=Moscow/O=My Organization Name/OU=My Organization Unit Name' is data of your organization: domain name, location, name.
3. Enter and confirm the password for the private certificate key. This password will need to be entered when uploading the user certificate to the Web Console as a mobile certificate. There are no special password requirements.

As a result, the following two files will be created in the folder where you ran the command:

• server.pem is a certificate file for connecting Kaspersky Thin Client to Kaspersky Security Center.
• key.pem is a private key of the certificate for connecting Kaspersky Thin Client to Kaspersky Security Center.

If necessary, you can convert a certificate file from PEM to DER format.

Uploading a reserve certificate and user certificate to the Web Console for connecting Kaspersky Thin Client to Kaspersky Security Center

If you created a user certificate or a reserve certificate for connecting Kaspersky Thin Client to Kaspersky Security Center, you must upload the created certificate to the Web Console as a mobile certificate.

It is recommended to first verify that the user certificate meets the requirements of Kaspersky Security Center. For detailed information about the requirements applied to Kaspersky Security Center certificates, see the Requirements for custom certificates used in Kaspersky Security Center section of the Kaspersky Security Center Online Help Guide.

To upload a certificate to the Web Console for connecting Kaspersky Thin Client to Kaspersky Security Center:

1. In the menu of the Kaspersky Security Center Web Console, click the icon next to the name of the Kaspersky Security Center Administration Server.

   The Administration Server properties window opens.

2. In the list of subsections, select Certificates.
3. In the window that opens, in the Administration Server authentication by mobile devices block, select Other certificate and click the Manage certificate button.
4. In the panel that opens on the right, click Browse and do the following:
   1. In the Certificate type drop-down list, select X.509 certificate.
   2. If the user certificate is protected with a password, enter the password.
   3. Select the user certificate file by clicking the Browse button in the Certificate block.
   4. Select the private key for the user certificate by clicking the Browse button in the Private key block.
5. Click Save to save the certificate adding.
6. Click Save to save the changes you made in the Certificates subsection.

The certificate for connecting Kaspersky Thin Client to Kaspersky Security Center will be uploaded to the Web Console as a mobile certificate.

Adding new certificates in the Web Console

For thin clients that are members of an administration group, you can add new certificates in the Web Console for securely connecting to remote desktops (via RDP or under Basis.WorkPlace management) or to a log server.

After certificates for securely connecting to remote desktops or to a log server are added to the Web Console, devices in the administration group will switch to trusted mode. In this case, you will not be able to add certificates through the Kaspersky Thin Client interface.

To add new certificates through the Web Console:

1. In the main window of the Web Console, select Devices → Policies & profiles.
2. Click the policy name for the Kaspersky Security Management Suite web plug-in.
3. In the window that opens, select the Application settings tab.
4. Select the Certificates section.
5. In the Valid certificates table, click the Add button in the upper part of the table.
6. In the panel that opens on the right, select all certificates that were previously uploaded and select the new certificates. The total size of the uploaded files must not exceed 1 MB. You can upload certificates only in DER format. Each certificate file must contain only one certificate. If necessary, you can convert certificates from PEM to DER format in advance.
7. Click OK to confirm the upload of the selected certificates.

The selected certificates will be uploaded and information about them will be displayed in the Valid certificates table.

Removing certificates from the Web Console

For thin clients that are members of an administration group, you can remove the certificates for securely connecting to remote desktops (via RDP or under Basis.WorkPlace management) or to a log server from the Web Console.

When you remove a certificate, you will no longer be able to use the Kaspersky Thin Client interface to securely connect to servers where this certificate or its signed certificates are installed.

After certificates for securely connecting to remote desktops or to a log server are removed from the Web Console, Kaspersky Thin Client devices that are members an administration group will be switched out of the trusted mode. To connect to remote desktops or to a log server, you will have to add certificates in the Kaspersky Thin Client interface.

To remove certificates:

1. In the main window of the Web Console, select Devices → Policies & profiles.
2. Click the policy name for the Kaspersky Security Management Suite web plug-in.
3. In the window that opens, select the Application settings tab.
4. Select the Certificates section.
5. In the Valid certificates table, select the check boxes next to the certificates that you need to remove.
6. Click Delete and confirm deletion.

The selected certificates will be removed.

Converting a certificate from PEM to DER format

Kaspersky Security Management Suite supports uploading of certificates only in DER format. You can convert a certificate file from PEM to DER format.

To carry out these instructions on the local computer, you must have the OpenSSL tool.

To convert a certificate file from PEM to DER format:

1. Start the console on the local computer.
2. Go to the folder containing the PEM certificate file and run the following file conversion command:

   openssl x509 -outform der -in <certificate file name>.pem -out <certificate file name>.der

   where:

   • <certificate file name>.pem is the original certificate file name in PEM format.
   • <certificate file name>.der is the converted certificate file name in DER format.

The new certificate file in DER format will be generated in this same folder.