Create and install a certificate to the SEDR Management appliance
search cancel

Create and install a certificate to the SEDR Management appliance

book

Article ID: 178801

calendar_today

Updated On:

Products

Advanced Threat Protection Platform Endpoint Detection and Response

Issue/Introduction

By default the Symantec Endpoint Detection and Response appliance builds a self signed certificate with the IP of the management console. Follow these steps if a custom SSL certificate for use with the Symantec Endpoint Detection and Response (SEDR) appliance is needed. In order for SEP clients and administrator's clients to trust the connection to the appliance's DNS name, you will need a certificate signed by a trusted authority installed onto the appliance.

Environment

SEDR 4.X

Resolution

Prerequisites:

  1. When creating a certificate for SEP Private Cloud, the certificate must utilize SHA2.
  2. Does not accept an encrypted private key.

    Note: As of SEDR 4.6, a Subject Alternative Name value is required.

Steps for creating a CSR:

Note: The steps below for creating a CSR request are for any certificate type or request, they are not product specific.

  1. Log into the command line of a Linux box or a Linux emulator (Like Cygwin64 Terminal).  Do not use the SEDR appliance.  

  2. You will build the config file for the CSR by using the 'vi' command:

    vi sedr.conf


    Example contents for sedr.conf:
    [req]
    distinguished_name = req_distinguished_name
    req_extensions = v3_req
    prompt = no
    [req_distinguished_name]
    C = US
    ST = CA
    L = City
    O = YourOrganization
    OU = YourOrganizationUnit
    CN = sedr.example.com
    [v3_req]
    keyUsage = keyEncipherment, dataEncipherment
    extendedKeyUsage = serverAuth
    subjectAltName = @alt_names
    [alt_names]
    DNS.1 = sedr2.example.com
    IP.1 = 192.0.2.10
    IP.2 = 192.0.2.50
    DNS.2 = sedr3.example.com
    Save the file by pressing <esc> :wq!

    Note:
    The 'CN' field (Common Name) is where you should enter the fully qualified domain name for the SEDR appliance. 
    Note: For wildcard certificates, the Common Name should be in the format: *.mydomain.com
    Note: It is now necessary to add the 'extra' attributes, you have DNS or IP information you need to add.
  3. At the prompt type in: openssl req -newkey rsa:4096 -sha256 -nodes -keyout sedr.privkey.key -config sedr.conf -out sedr.csr

    Note: This will generate two files: a CSR called 'sedr.csr' and a 4096-bit private key called 'sedr.privkey.key'.

  4. Your CSR is now generated. Open the 'sedr.csr' file with a text editor and copy and paste the contents into the enrollment form from your Certificate Authority when requested.
  5. Once you receive the certificate and all intermediate/root CAs in PEM format, you will need to review the Certification Path tab and open each certificate in the chain:

  6. Under the Details tab, click Copy to File, choose Base-64
  7. Open the .CER files in a text editor, such as notepad.exe and paste the certificates in this order to build the chained BASE64 encoded certificate:

     -----BEGIN CERTIFICATE-----

    (Primary SSL certificate: sedr.crt)

    -----END CERTIFICATE-----

    -----BEGIN CERTIFICATE-----

    (Intermediate certificate: Intermediate CA.crt)

    -----END CERTIFICATE-----

    -----BEGIN CERTIFICATE-----

    (Root certificate: ca.crt)

    -----END CERTIFICATE-----

  8. Save the file as sedr.crt and proceed to install the certificate into the SEDR web interface.

Steps for creating a Self Signed Certificate for SEDR

  1. Log into the command line of a Linux computer, or Linux emulator on a Windows computer (Like Cygwin64 Terminal).  NOTE: Do not use the SEDR appliance.

  2. Follow above steps for creating a sedr.csr file
  3. Create an extension file to provide the Subject Alternative Name(s)
    vi sedr.ext


    subjectAltName = DNS:sedr1.example.com, IP:192.0.2.10

  4. At the command line type in:

    openssl x509 -req -in sedr.csr -signkey sedr.privkey.key -days 3650 -sha256 -out sedr.crt -extfile sedr.ext

  5. Once you step through and key in all of the required information you should have a 'sedr.crt' and 'sedr.private.key'


Steps to add the certificate and private key into SEDR web interface:

  1. Log into the SEDR Appliance.

  2. Click on Settings -> Global and scroll down to "SSL Certificate"

  3. Click on "Edit Certificate"

  4. Click on "Browse" for the Certificate and load the "sedr.crt"

  5. Click on "Browse" for the Unencrypted Private Key and load the "sedr.private.key"
  6. Click on "Upload" button.

  7. You should now see the FQDN from the certificate:

     

To Distribute the new certificate to SEPM

  1. Click on the three dots showing in the screen shot to get a menu and select "SEP Policies"
    .
  2. Now enter the FQDN for the appliance:
  3. Click on the "Save" button and this will push the new certificate to the SEPM server as a Private Insight policy. 

Note: The SEP clients will get the new certificate when they check in to the SEPM server.  To have the client get the certificate earlier you can right click on the SEP icon and click on "Update Policy".

Additional Information

When adding the Subject Alternative Name (SAN) values, you cannot use an IP address for the DNS field. You must use the IP Address field.

Correct:

Incorrect: