Respond to an Endpoint Protection Manager certificate compromise

book

Article ID: 159171

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

The private key for your Symantec Endpoint Protection Manager (SEPM) certificate may have been compromised and you need the best practice to secure your environment.

Resolution

To maintain the integrity of your Public Key Infrastructure (PKI) you must assume any suspected compromise of your manager's private key is legitimate. Steps must be taken to replace the certificate on compromised managers as soon as possible.

Generating a new default self-signed certificate

If your manager is configured to use the default self-signed certificate, you will need to generate a new certificate, with a new public/private key pair.

  1. Open a command prompt window and change directories to \Symantec Endpoint Protection Manager\jre\bin.
  2. Enter the following command: keytool -genkey -keyalg RSA -sigalg SHA256withRSA -alias tomcat -keystore keystore.jks -storepass <your password> -validity 3680 -keysize 2048
  3. You will be prompted for the following:
    • first and last name (The Fully Qualified Domain Name (FQDN) or hostname of your manager computer)
    • organizational unit (default: ESG)
    • organization (default: Symantec Corporation)
    • City or Locality (default: Mountain View)
    • State or Province (default: CA)
    • country code (default: US)
  4. At the prompt, confirm your answers are correct, type yes and press the Enter key.
  5. When prompted to "Enter key password for <tomcat>", press the Enter key to utilize the same keystore password you specified in the command-line above.
  6. This command will output the public/private key pair and certificate as a Java keystore file called keystore.jks in the \Symantec Endpoint Protection Manager\jre\bin folder.
  7. Note the name, location and keystore password for future reference.
  8. Follow the steps in Updating the server certificate on an Endpoint Protection Manager without breaking client-server communications to update your manager with the new certificate.

Obtaining a new Certificate Authority (CA) signed certificate

If you updated your manager with a CA-signed certificate, you will need to contact the certificate issuer for assistance in doing both of the following: generating a new, uncompromised public/private key pair, and revoking the compromised certificate.

Follow the steps in Updating the server certificate on an Endpoint Protection Manager without breaking client-server communications to update your manager with the new certificate.