This document is intended for organizations that do not have formal Public Key Infrastructure (PKI) policies and procedures. It provides guidance on how to replace the default self-signed Symantec Endpoint Protection Manager (SEPM) certificate with a Certificate Authority (CA) signed certificate. Organizations with formal PKI policies and procedures should follow their internal process to obtain a CA-signed certificate for their SEPMs.
Always consult with your PKI team, and/or CA before choosing to use the SEPM default self-signed certificate. This certificate may not meet the organizational or CA requirements.
If the default self-signed SEPM certificate meets the requirements of your organization, locate the certificate and its private key in the SEPM installation folder:
Always consult your PKI team, and/or CA to confirm if there are any special requirements for the Certificate Signing Request (CSR) needed to generate the CA-signed certificate. If no there are no specific requirements use the following steps to generate a CSR and provide this to the CA using their required method:
c:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\bin
openssl.exe req -config ..\conf\ssl\openssl.cnf -new -sha256 -key ..\conf\ssl\server.key -out ..\conf\ssl\server.csr
openssl.exe req -config ..\conf\ssl\openssl.cnf -nodes -new -sha256 -keyout ..\conf\ssl\newserver.key -out ..\conf\ssl\newserver.csr
|Country Name||The Country of the organization headquarters|
|State or Province Name||The State or Province of the organization headquarters|
|Locality Name||The City of the organization headquarters|
|Organization Name||The legal name of the organization|
|Organizational Unit||The department of the organization responsible for the SEPM|
|Common Name||The fully qualified domain name of the SEPM clients will use to connect to|
|Email Address||The email address of the entity in the organization responsible for the SEPM|
|Challenge Password||Leave blank unless required by the CA|
|Optional Company name||
Leave blank unless required by the CA
The CSR file will be located at c:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl\server.csr
Provide the CSR to the CA using the CA defined process. The CA will respond with a copy of the certificate digitally signed by the CA. The response should also contain the certificate chain in one or more file formats.