search cancel

Renewing the Symantec Endpoint Encryption Management Server TLS certificate

book

Article ID: 176302

calendar_today

Updated On:

Products

Endpoint Encryption Desktop Email Encryption Drive Encryption Encryption Management Server File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

Before the TLS certificate for Endpoint Encryption Management Server expires, you will need to replace it with a new certificate or Endpoint Encryption clients will fail to connect.

Usually, you will not need to build and roll out a new Endpoint Encryption client.

Environment

Symantec Endpoint Encryption 11.3 and above.

Resolution

If the root certificate of the new Endpoint Encryption Management Server certificate is the same as the old one, the Endpoint Encryption clients will continue to trust the Endpoint Encryption Management Server certificate.

If the new Endpoint Encryption Management Server certificate has a different root certificate, the Endpoint Encryption clients will trust the Endpoint Encryption Management Server certificate provided that the Management Server's root certificate is in the Trusted Root Certification Authorities container of the Local Computer certificate store of the clients.

Once you have obtained a new server certificate for the Endpoint Encryption Management Server, please do the following:

1. The new server certificate must contain the Server Authentication attribute within the Enhanced Key Usage section. See article 172147 for more details. If it does not, the certificate cannot be used. All server certificates issued by well known Certificate Authorities will contain the Server Authentication attribute but this is not necessarily the case with certificates issued by internal Certificate Authorities.

2. The new server certificate must have the same Common Name (CN) as the old certificate. For example, see.example.com.

3. Ensure that the Endpoint Encryption clients trust the new certificate's root certificate. In order to trust the root certificate, it needs to be in the Trusted Root Certification Authorities container of the Local Computer Windows certificate store. Note that placing the root certificate in the Current User certificate store is not sufficient. If the new server certificate was issued by a well known Certificate Authority then it is likely that the root certificate will already be in the correct location within the Windows certificate store, so long as the latest Windows Updates have been installed. The same is likely to be true if the new server certificate was issued by your internal Certificate Authority. This is because the root certificate will usually have been rolled out to all clients in the Windows domain using group policy. However, it is essential to check that this requirement is met before replacing the server certificate.

4. Install the private certificate on the Endpoint Encryption Management Server. Import the *.p12 or *.pfx file into the Local Computer certificate store and accept the default location. Do not import it into the Current User certificate store.

5. Export either the public server certificate or the issuing root certificate to a DER format file. DER is a binary format and is the default format used by Windows to export public certificates.

6. In the Endpoint Encryption Management Server Configuration Manager, use the Server Certificate button to choose the appropriate server certificate from a list of the server certificates that are available in the Windows certificate store.

7. In the Endpoint Encryption Management Server Configuration Manager, use the CA Certificate button to browse to the DER format file containing either the root certificate or the server certificate. If you browse to the server certificate, Configuration Manager will automatically find the associated root certificate.

8. Configuration Manager will display the Thumbprint of the Server and CA certificates. Check these against the public certificates by opening both public certificates in Windows and checking the Thumbprint section in the Details tab.

9. Once you have saved the new settings in Configuration Manager, the Endpoint Encryption clients will continue to be able to connect to the Endpoint Encryption Management Server.

Additional Information

257339 - How to Create and Assign a Subordinate/Intermediate Certificate for SMIME/Certificate Signing with PGP Server

155218 - HOW TO: Generate a new self-signed Organization Certificate for PGP Server for SMIME Email Encryption

180416 - How to Install an SSL Certificate for Symantec Encryption Management Server (PGP Server)

176302 - Renewing the Endpoint Encryption Management Server TLS certificate

180143 - HOW TO: Work with Trusted Keys and Certificates on Symantec Encryption Management Server