This document is intended for organizations that do not have formal Public Key Infrastructure (PKI) policies and procedures. It provides guidance on how to replace the default self-signed Symantec Endpoint Protection Manager (SEPM) certificate with a Certificate Authority (CA) signed certificate. Organizations with formal PKI policies and procedures should follow their internal process to obtain a CA-signed certificate for their SEPMs.
Always consult with your PKI team, and/or CA before choosing to use the SEPM default self-signed certificate. This certificate may not meet the organizational or CA requirements.
If the default self-signed SEPM certificate does not meet the requirements of your organization, locate the certificate and its private key in the SEPM installation folder:
Always consult your PKI team, and/or CA to confirm if there are any special requirements for the Certificate Signing Request (CSR) needed to generate the CA-signed certificate. If no there are no specific requirements use the following steps to generate a CSR and provide this to the CA using their required method:
c:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\bin
openssl.exe req -config ..\conf\ssl\openssl.cnf -new -sha256 -key ..\conf\ssl\server.key -out ..\conf\ssl\server.csr
openssl.exe req -config ..\conf\ssl\openssl.cnf -nodes -new -sha256 -keyout ..\conf\ssl\newserver.key -out ..\conf\ssl\newserver.csr
Field | Explanation |
---|---|
Country Name | The Country of the organization headquarters |
State or Province Name | The State or Province of the organization headquarters |
Locality Name | The City of the organization headquarters |
Organization Name | The legal name of the organization |
Organizational Unit | The department of the organization responsible for the SEPM |
Common Name | The fully qualified domain name of the SEPM clients will use to connect to |
Email Address | The email address of the entity in the organization responsible for the SEPM |
Challenge Password | Leave blank unless required by the CA |
Optional Company name |
Leave blank unless required by the CA |
The CSR file will be located at c:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl\server.csr
Provide the CSR to the CA using the CA defined process. The CA will respond with a copy of the certificate digitally signed by the CA. The response should also contain the certificate chain in one or more file formats.
NOTE: these steps do not include the inclusion of SAN entries (Subject Alternative Name). Please ensure certificate generated for server has SAN attribute with the relative entries(IP, DNS, etc).
Follow the steps in Update the server certificate on the management server without breaking communications with the client. Choose "Certificate and Private Key file" when prompted by the SEPM certificate update wizard. The certificate file is the one returned by your CA. The private key is the existing one in SEPM\apache\conf\ssl\server.key.