How best to customize the certificates and encryption methods used by the Symantec Endpoint Protection Manager (SEPM) to secure client-server communications.
Follow any organizational or governmental requirements for key usage, and ensure you use a minimum 2048 bit SHA256RSA key. The larger the key used, the more difficult it is to brute force, but larger keys take significantly longer to generate, and require more CPU time.
The SEPM uses a 2048 bit SHA256RSA keypair by default and supports keys up to 8192 bits.
Note: current versions of SEPM 14 require a manual change to support keys larger than 2048 bits. See Failed to Connect to Server error when logging into management console for more information.
Certificate Authority Signing
When replacing the built in self-signed certificate on your manager with a Certificate Authority (CA) signed certificate, work with your Certificate Authority (CA) to generate a new, CA signed certificate with your organization's information instead of exporting a Certificate Signing Request (CSR) from the default self-signed certificate. Be sure you are aware of any organizational or compliancy requirements governing the use of certificates in your environment before generating a CA signed certificate. Some common questions you should be able to answer before generating your certificate(s) are: