The private key for your Symantec Endpoint Protection Manager (SEPM) certificate may have been compromised and you need the best practice to secure your environment.
To maintain the integrity of your Public Key Infrastructure (PKI) you must assume any suspected compromise of your manager's private key is legitimate. Steps must be taken to replace the certificate on compromised managers as soon as possible.
Generating a new default self-signed certificate
If your manager is configured to use the default self-signed certificate, you will need to generate a new certificate, with a new public/private key pair.
Obtaining a new Certificate Authority (CA) signed certificate
If you updated your manager with a CA-signed certificate, you will need to contact the certificate issuer for assistance in doing both of the following: generating a new, uncompromised public/private key pair, and revoking the compromised certificate.
Follow the steps in Updating the server certificate on an Endpoint Protection Manager without breaking client-server communications to update your manager with the new certificate.