Symantec Endpoint Protection clients no longer communicate with the Manager when using custom SSL certificates

Article Id: 157159
Status: Published
Updated On: 09-10-2012 10:38
Legacy Id: TECH197901
Products:
Endpoint Protection
Issue/Introduction:

Symantec Endpoint Protection may be affected by Microsoft Security Advisory KB 2661254 if the administrator has configured client communications via SSL with a self-signed certificate using a key length less than 1024 bits. In this situation the administrator must take steps to ensure client-to-server communication is not disrupted.

 

Information about the Microsoft update

Microsoft released an update (KB 2661254) on August 14, 2012, which ends support for certificates using the RSA algorithm that has key lengths less than 1024 bits. After applying Microsoft’s update, all certificates with key lengths less than 1024 bits will be treated as invalid.

The update is available on the Microsoft Download Center as well as the Microsoft Update Catalog for all supported releases of Microsoft Windows. In addition, Microsoft is planning to release this update through Microsoft Update in October, 2012 after customers have a chance to assess the impact of this update and take necessary actions to use certificates with RSA keys greater than or equal to 1024 bits in length in their enterprise.

You can find more information about the update in the following links:

Description and Instruction for Updating Certificates
http://blogs.technet.com/b/pki/archive/2012/06/12/rsa-keys-under-1024-bits-are-blocked.aspx

·       Description and Instruction for Workarounds
http://blogs.technet.com/b/pki/archive/2012/07/13/blocking-rsa-keys-less-than-1024-bits-part-2.aspx

 

Symantec Product Impact

This update does not impact Symantec Endpoint Protection with respect to code signing and authenticode or internally-issued and leveraged certificates.  Signed code and internally issued/used certificates leverage 1024 bit key length certificates or higher.

This update may impact customers who meet the following criteria:

  • You have configured SSL between Symantec Endpoint Protection Manager and clients
  • You have provided your own self-signed certificates and the key length is less than 1024 bits
  • Microsoft KB 2661254 is installed, or will be installed by Microsoft Update, on the clients

If these three criteria are met, Symantec Endpoint Protection clients will stop communicating with the management server.

(Note: If Microsoft KB 2661254 is applied to the management server only (not clients), client communication is unaffected. However the Home, Monitors, and Reports windows cannot be displayed and the web console cannot login.)

Symantec recommends reviewing certificates that are used for SSL communication to ensure they are 1024 bit or higher.

 

Resolution:

 

Determining the certificate length

Symantec recommends reviewing certificates that are used for SSL communication to ensure they are 1024 bit or higher.

 

To determine the certificate length for SEP 11.0 in Windows 2003

  1. Click Start > Settings > Control Panel > Administrative Tools > IIS Manager.
  2. In the Internet Information Services window, expand the host node, right-click Symantec Web Server (or Default Web Site in versions before MR2), and then click Properties.
  3. In the Symantec Web Server (or Default Web Site) Properties window, on the Directory Security tab, under Secure Communications, click View Certificate.
  4. On the Details tab, check the value of the “Public key” field.

If the certificate key length is less than 1024 bits, follow the instructions below to mitigate or remediate the issue.

 

To determine the certificate length for SEP 11.0 in Windows 2008

  1. Click Start > Administrative Tools > Internet Information Services (IIS) Manager.
  2. On the Connections pane, on the left side of the IIS Manager window, select the local IIS server.
  3. In the Home panel, double click Server Certificates.
  4. Click the certificate.
  5. In the Actions panel, click View....
  6. On the Details tab, check the value of the “Public key” field.

If the certificate key length is less than 1024 bits, follow the instructions below to mitigate or remediate the issue.

 

To determine the certificate length in SEP 12.1

  1. In Windows Explorer, go to the SEPM program files directory.
  2. Go to apache\conf\ssl\.
  3. Double click server.crt.
  4. On the Details tab, check the value of the “Public key” field.

 

Preventing the issue

Before installing KB 2661254, the SEPM administrator can mitigate the issue by creating and installing a new certificate. The newly-created certificate must have a key length of 1024 bits or higher.

 

To prevent the issue for SEP 12.1

For SEP 12.1, follow the steps in the Symantec Endpoint Protection Implementation Guide, sections “Upgrading a server certificate” and “Upgrading server security certificates without orphaning clients.”

 

To prevent the issue for SEP 11.0 on Windows Server 2003

For SEP 11.0 on Windows 2003, remove the old SSL certificate from the SEPM IIS web site, install a new one, and then perform the steps outlined in Configuring Secure Sockets Layer (SSL) to work with the Symantec Endpoint Protection 11.x reporting functions on Windows Server 2003.

 

To remove the existing certificate on Windows 2003

  1. Click Start > Settings > Control Panel > Administrative Tools > IIS Manager.
  2. In the Internet Information Services window, expand the host node, right-click Symantec Web Server (or Default Web Site in versions before MR2), and then click Properties.
  3. In the Symantec Web Server (or Default Web Site) Properties window, on the Directory Security tab, under Secure Communications, click Server Certificate.
  4. In the Certificate Wizard dialog box, click Next.
  5. In the Modify the Current Certificate Assignment window, select Remove the current certificate, and click Next.
  6. Click Next again.
  7. Click Finish.

 

To prevent the issue for SEP 11.0 on Windows Server 2008

For SEP 11.0 on Windows 2008, remove the old SSL certificate from the SEPM IIS web site, install a new one, and then perform the steps outlined in Configuring Endpoint Protection Manager (SEPM) for SSL on Windows 2008.

 

To remove the existing certificate on Windows 2008

  1. Click Start > Administrative Tools > Internet Information Services (IIS) Manager.
  2. On the Connections pane on the left side of the IIS Manager window, select the local IIS server.
  3. In the Home panel, double-click Server Certificates.
  4. Click the certificate you want to remove.
  5. In the Actions panel, click Remove.

 

 

Remediation

If you have already installed KB 2661254 and are experiencing certificate rejection on the client, you will need to take one of the following remediation actions:

 

Use SylinkReplacer to restore communications

  1. Install a new server certificate as outlined above in the “Preventing the issue” section.
  2. Follow the instructions in Using the "SylinkReplacer" Utility to deploy the updated certificate to clients with the SylinkReplacer tool.

Note: You will need to contact Symantec Technical Support to obtain the SylinkReplacer tool.

 

Use Microsoft certutil to temporarily lower the key length restriction

  1. Run or script the following command on each affected client (adjust “512” to match the key length of the previously-installed certificate):
    certutil -setreg chain\minRSAPubKeyBitLength 512
    This allows the clients to communicate with the server again.
  2. Install a new server certificate as outlined above in the “Preventing the issue” section.
  3. Run or script the following command on each client:
    certutil -setreg chain\minRSAPubKeyBitLength 1024
    This restores the key length restriction as originally set by Microsoft KB 2661254.

Note: The certutil command will affect all certificate checks on the client.

 

 

Replication environment concerns

After updating the certificate in a replication environment, the SEPM administrator must ensure that each replication partner trusts the new certificate.

 

To trust the new certificate in SEP 12.1

  1. Open the SEPM console on the first replication partner.
  2. On the Admin tab, select the server on which the certificate was updated.
  3. Perform a “Check certificate” operation.
  4. Repeat this process for each replication partner.

 

To trust the new certificate in SEP 11.0

  1. Open the SEPM console on the first replication partner.
  2. On the Admin tab, select the server on which the certificate was updated.
  3. Remove the server.
  4. Add the server again as a replication partner.
  5. Repeat this process for each replication partner