The difference is between the SHA1 and SHA256 (introduced in Data Center Security (DCS) 6.7 MP2)
When installing a clean 6.7MP2 manager the agent certificate will be based on SHA256. This certificate cannot be understood by many legacy agents (Windows 2000)
When upgrading from a DCS 6.x to 6.7MP2+ that certificate format will be kept to a SHA1
CURLE_SSL_CONNECT_ERROR
"ssl connect error -- retry
unsuccessful registration -- communications error 35 "
in SISIPSService.log
Old operating systems like Windows 2000 or Windows NT are not compatible with SHA256
6.7MP2
If you need to use a SHA1 certificate for agent communication, you need to regenerate a certificate using the keytool
keytool.exe -delete -keystore C:\TempDCS\server-cert.ssl -alias sss -storepass [40 character alphanumeric string that is found in the server.xml file] -storetype PKCS12
keytool.exe -genkey -keystore "C:\TempDCS\server-cert.ssl" -alias sss -keyalg RSA -sigalg SHA1withRSA -keysize 2048 -storetype PKCS12 -storepass [40 character alpha-numeric string found in the server.xml file] -keypass [40 character alpha-numeric string found in server.xml] -dname "CN=SCSP_Management_Server, OU=[SCSP server hostname]"
keytool.exe -export -Alias sss -rfc -keystore "C:\TempDCS\server-cert.ssl" -file "C:\TempDCS\agent-cert.ssl" -storepass [40 character alpha-numeric string found in the server.xml file] -storetype PKCS12
Example of 3 commands to use (important section in yellow):
keytool.exe -delete -keystore C:\TempDCS\server-cert.ssl -alias sss -storepass 9wuKhDnRfarhsOiBUqYZaaYn6lPq3gQQLPIpsCjU -storetype PKCS12
keytool.exe -genkey -keystore "C:\TempDCS\server-cert.ssl" -alias sss -keyalg RSA -sigalg SHA1withRSA -keysize 2048 -storetype PKCS12 -storepass 9wuKhDnRfarhsOiBUqYZaaYn6lPq3gQQLPIpsCjU -keypass 9wuKhDnRfarhsOiBUqYZaaYn6lPq3gQQLPIpsCjU -dname "CN=SCSP_Management_Server, OU=mymanager.symantec.com"
keytool.exe -export -Alias sss -rfc -keystore "C:\TempDCS\server-cert.ssl" -file "C:\TempDCS\agent-cert.ssl" -storepass 9wuKhDnRfarhsOiBUqYZaaYn6lPq3gQQLPIpsCjU -storetype PKCS12
It will create a new agent cert based on SHA1 that an old windows can understand.
You must replace the existing certificates with the ones you have created in the above procedure.
To replace the existing certificates:
Refer to this kb article for additional information: https://support.symantec.com/us/en/article.doc10574.html