Endpoint Protection Certificate and Encryption Best Practices

book

Article ID: 158660

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

How best to customize the certificates and encryption methods used by the Symantec Endpoint Protection Manager (SEPM) to secure client-server communications.

Resolution

Managing Certificates

Certificate Keys

Follow any organizational or governmental requirements for key usage, and ensure you use a minimum 2048 bit SHA256RSA key. The larger the key used, the more difficult it is to brute force, but larger keys take significantly longer to generate, and require more CPU time.

The SEPM uses a 2048 bit SHA256RSA keypair by default and supports keys up to 8192 bits.

Note: current versions of SEPM 14 require a manual change to support keys larger than 2048 bits. See Failed to Connect to Server error when logging into management console for more information.

Certificate Authority Signing

When replacing the built in self-signed certificate on your manager with a Certificate Authority (CA) signed certificate, work with your Certificate Authority (CA) to generate a new, CA signed certificate with your organization's information instead of exporting a Certificate Signing Request (CSR) from the default self-signed certificate. Be sure you are aware of any organizational or compliancy requirements governing the use of certificates in your environment before generating a CA signed certificate. Some common questions you should be able to answer before generating your certificate(s) are:

  1. Are there any specific requirements regarding private key length?
  2. Are there any specific requirements regarding signature algorithms?
  3. Are there any specific requirements regarding signature key algorithms?
  4. Can the Common Name (CN) field contain wildcards (*)?
  5. Can certificates contain IP addresses in the CN field, or as Subject Alternative Name (SAN) entries?
  6. Can certificates be signed by intermediary Certificate Authorities (CAs)?
  7. Are certificates required to be cross-signed?