By default the Symantec Endpoint Detection and Response appliance builds a self signed certificate with the IP of the management console. Follow these steps if a custom SSL certificate for use with the Symantec Endpoint Detection and Response (SEDR) appliance is needed. In order for SEP clients and administrator's clients to trust the connection to the appliance's DNS name, you will need a certificate signed by a trusted authority installed onto the appliance.
Steps for creating a CSR:
Note: The steps below for creating a CSR request are for any certificate type or request, they are not product specific.
Log into the command line of a Linux box or a Linux emulator (Like Cygwin64 Terminal). Do not use the SEDR appliance.
[req] distinguished_name = req_distinguished_name req_extensions = v3_req prompt = no [req_distinguished_name] C = US ST = CA L = City O = YourOrganization OU = YourOrganizationUnit CN = sedr.example.com [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = sedr-5.example.test IP.1 = 10.10.10.101 IP.2 = 22.214.171.124 DNS.2 = sedr2.example.netSave the file by pressing <esc> :wq!
At the prompt type in: openssl req -newkey rsa:4096 -sha256 -nodes -keyout sedr.privkey.key -config sedr.conf -out sedr.csr
Note: This will generate two files: a CSR called 'sedr.csr' and a 4096-bit private key called 'sedr.privkey.key'.
Once you receive the certificate and all intermediate/root CAs in PEM format, you will need to review the Certification Path tab and open each certificate in the chain:
Open the .CER files in a text editor, such as notepad.exe and paste the certificates in this order to build the chained BASE64 encoded certificate:
(Primary SSL certificate: sedr.crt)
(Intermediate certificate: Intermediate CA.crt)
(Root certificate: ca.crt)
Save the file as sedr.crt and proceed to install the certificate into the SEDR web interface.
Steps for creating a Self Signed Certificate for SEDR
Log into the command line of a Linux computer, or Linux emulator on a Windows computer (Like Cygwin64 Terminal). NOTE: Do not use the SEDR appliance.
subjectAltName = DNS:exmple.corp.net, IP:10.2.2.1
At the command line type in:
openssl x509 -req -in sedr.csr -signkey sedr.privkey.key -days 3650 -sha256 -out sedr.crt -extfile sedr.ext
Once you step through and key in all of the required information you should have a 'sedr.crt' and 'sedr.private.key'
Steps to add the certificate and private key into SEDR web interface:
Log into the SEDR Appliance.
Click on Settings -> Global and scroll down to "SSL Certificate"
Click on "Edit Certificate"
Click on "Browse" for the Certificate and load the "sedr.crt"
Click on "Browse" for the Unencrypted Private Key and load the "sedr.private.key"
Click on "Upload" button.
You should now see the FQDN from the certificate:
To Distribute the new certificate to SEPM, click on the three dots showing in the screen shot to get a menu and select "SEP Policies".
Now enter the FQDN for the appliance:
Click on the "Save" button and this will push the new certificate to the SEPM server as a Private Insight policy.
Note: The SEP clients will get the new certificate when they check in to the SEPM server. To have the client get the certificate earlier you can right click on the SEP icon and click on "Update Policy".
When adding the Subject Alternative Name (SAN) values, you cannot use an IP address for the DNS field. You must use the IP Address field.