This document is intended for organizations that do not have formal Public Key Infrastructure (PKI) policies and procedures. It provides guidance on how to replace the default self-signed Symantec Endpoint Protection Manager (SEPM) certificate with a Certificate Authority (CA) signed certificate. Organizations with formal PKI policies and procedures should follow their internal process to obtain a CA-signed certificate for their SEPMs.

Choose the certificate

Always consult with your PKI team, and/or CA before choosing to use the SEPM default self-signed certificate. This certificate may not meet the organizational or CA requirements.

• Some organizations may require specific key algorithms or lengths besides the 2048/4096-bit SHA256 RSA key used by the default self-signed SEPM certificate
• Some vendors may require the subject information in the certificate to match a valid known address owned by the organization instead of the Symantec address included in the default self-signed SEPM certificate
• Most public CAs will not issue certificates with IP address-based subjects, or IP address Subject Alternative Name (SAN) entries, such as those in the default self-signed SEPM certificate.

If the default self-signed SEPM certificate does not meet the requirements of your organization, locate the certificate and its private key in the SEPM installation folder:

• C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl\server.crt
• C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl\server.key

Generate the Certificate Signing Request

Always consult your PKI team, and/or CA to confirm if there are any special requirements for the Certificate Signing Request (CSR) needed to generate the CA-signed certificate. If no there are no specific requirements use the following steps to generate a CSR and provide this to the CA using their required method: (NOTE: To add SAN attributes in the CSR see the *NOTE in bold below)

1. Locate the default self-signed SEPM certificate and private key and create copies of both in an accessible location
   
   
2. Open a command-prompt as Administrator and change directories to 
   c:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\bin
   
   
3. Enter the following command to generate a CSR using the existing private key:
   openssl.exe req -config ..\conf\ssl\openssl.cnf -new -sha256 -key ..\conf\ssl\server.key -out ..\conf\ssl\server.csr
   
   If you want to generate a signing request with a new keypair, use the following command: 
   For 2048 Bit CSR  
   openssl.exe req -config ..\conf\ssl\openssl.cnf -nodes -new -sha256 -keyout ..\conf\ssl\newserver.key -out ..\conf\ssl\newserver.csr
   
   For 4096 Bit CSR  
   openssl.exe req -config ..\conf\ssl\openssl.cnf -nodes -newkey rsa:4096 -sha256 -new  -keyout ..\conf\ssl\newserver.key -out ..\conf\ssl\newserver.csr
   
   
4. Use the table below to determine how to answer the questions asked by openssl during the CSR generation process:

   Field	Explanation
   Country Name	The Country of the organization headquarters
   State or Province Name	The State or Province of the organization headquarters
   Locality Name	The City of the organization headquarters
   Organization Name	The legal name of the organization
   Organizational Unit	The department of the organization responsible for the SEPM
   Common Name	The fully qualified domain name of the SEPM clients will use to connect to
   Email Address	The email address of the entity in the organization responsible for the SEPM
   Challenge Password	Leave blank unless required by the CA
   Optional Company name	Leave blank unless required by the CA

5. The CSR file will be located at c:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl\server.csr

*NOTE: To include Subject Alternative Name (SAN) attributes in your CSR, do the following: 
a. Make a backup copy of the SEPM\apache\conf\ssl\openssl.cnf and store it in another directory
b, Edit the SEPM\apache\conf\ssl\openssl.cnf using Notepad / Notepad++
c. Next, find the following line: # req_extensions = v3_req, and uncomment it out (if applicable)
d. Next, on line 211 ([ v3_req ]), add the following: 

[ v3_req ]
subjectAltName = @alt_names # This links to the section defining SANs
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# Extensions to add to a certificate request

    [ alt_names ]
    DNS.1 = SEPM1.example.com
    DNS.2 = SEPM2.example.com
    IP.1 = x.x.x.x 
    IP.2 = x.x.x.x 
    etc
    ...

NOTE: DNS.1, and IP.1 should match, etc.

e. Once it is done, save the file and proceed with CSR generation steps above.
NOTE: Once the CSR has been signed by the CA, the SAN attributes should now show in the certificate.  

Obtain a Certificate Authority response

Provide the CSR to the CA using the CA defined process. The CA will respond with a copy of the certificate digitally signed by the CA. The response should also contain the certificate chain in one or more file formats.

Update Symantec Endpoint Protection Manager with The Certificate Authority response

Follow the steps in Update the server certificate on the management server without breaking communications with the client. Choose "Certificate and Private Key file" when prompted by the SEPM certificate update wizard. The certificate file is the one returned by your CA. The private key is the existing one in SEPM\apache\conf\ssl\server.key.