Add Certificate Chain to Endpoint Protection Manager

Products

Endpoint Protection

Issue/Introduction

How to add Certificate Chain to Symantec Endpoint Protection Manager (SEPM).

Environment

SEP

Resolution

This document describes the process of manually importing the certificates necessary for a Symantec Endpoint Protection Manager (SEPM) to present the entire chain of trust for its TLS certificate to both Symantec Endpoint Protection (SEP) clients, the local and remote Java consoles, and Web console.

If your SEPM certificate has signature/issuer path of one or more intermediate CAs (Certificate Authorities), like:

RootCA> IntermediateCA1> IntermediateCA2> etc> myserver.example.net

then you may optionally install that chain of CA certificates following instructions here. This enables verification of the SEPM certificate by remote clients that may only have the RootCA certificate in their store. The certificate chain is simply a plaintext file of all the CA public certs concatenated together:

-----BEGIN CERTIFICATE-----
[Base64-encoded-cert]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[Base64-encoded-cert]
-----END CERTIFICATE-----
etc

NOTE: This process is not supported, and customers should follow it at their own risk. The steps are written assuming that the reader understands how PKI works, and is familiar with the kinds of files and formats certificates and keys are normally found in. Before following this procedure, ensure you understand the concept of a Public Key infrastructure, and have already obtained a valid certificate from a Certificate Authority (CA) whose root certificate is included in the Windows Trusted Root Certification Authorities.

Import the certificate into SEPM site via the Manage Server Certificate Wizard

Import the certificate provided by your CA: Update the server certificate on the SEPM without breaking communications with the client.

Copy the certificate chain to the SEPM install folder

Your CA should provide you with a chain certificate in Privacy Enhanced Mail (PEM) format. This file will contain 1 or more Base64 encoded certificates one for each link in the chain of trust between your SEPM certificate, and the Root CA. If you did not obtain a copy of your CAs chain certificate, contact your CA for assistance in generating this file.

Rename your CA certificate chain file to server-ca.crt and copy it to C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl.

Add the certificate chain into Apache

Reporting Page

Create a copy of C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl\ssl.conf and open the original in a text editor.
Remove the comment tag (#) from the beginning of the following line:
#SSLCertificateChainFile "conf/ssl/server-ca.crt"
Save ssl.conf.

Client-server Communications (SECARS) Page

Create a copy of C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl\sslForClients.conf and open the original in a text editor.
Find the line that reads SSLCertificateFile "conf/ssl/server.crt"
Add the following line below:
SSLCertificateChainFile "conf/ssl/server-ca.crt"
Save sslForClients.conf and restart the Symantec Endpoint Protection Manager Webserver service.

Add the certificate chain into Tomcat

Create a copy of C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\conf\server.xml and open the original in a text editor.
Add an SSLCertificateChainFile reference to the chain certificate on the Server <Connector> tag.
For example:

 SSLCertificateFile="C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\..\apache\conf\ssl\server.crt" SSLCertificateKeyFile="C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\..\apache\conf\ssl\server.key" SSLCipherSuite="HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!3DES:!RC4" SSLEnabled="true" SSLHonorCipherOrder="true" SSLProtocol="TLSv1.2" Server="SEPM" acceptCount="100" allowTrace="false" allowUnsafeLegacyRenegotiation="false" disableUploadTimeout="true" enableLookups="false" keystoreFile="C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\etc\keystore.jks" keystorePass="<HashedKeystorePass>" maxHeaderCount="100" maxParameterCount="1000" maxPostSize="2097152" maxSavePostSize="4096" port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" scheme="https" secure="true" useBodyEncodingForURI="true" xpoweredBy="false"/>

To:

<Connector SSLCertificateChainFile="C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\..\apache\conf\ssl\server-ca.crt" SSLCertificateFile="C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\..\apache\conf\ssl\server.crt" SSLCertificateKeyFile="C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\..\apache\conf\ssl\server.key" SSLCipherSuite="HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!3DES:!RC4" SSLEnabled="true" SSLHonorCipherOrder="true" SSLProtocol="TLSv1.2" Server="SEPM" acceptCount="100" allowTrace="false" allowUnsafeLegacyRenegotiation="false" disableUploadTimeout="true" enableLookups="false" keystoreFile="C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\etc\keystore.jks" keystorePass="<HashedKeystorePassword>" maxHeaderCount="100" maxParameterCount="1000" maxPostSize="2097152" maxSavePostSize="4096" port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" scheme="https" secure="true" useBodyEncodingForURI="true" xpoweredBy="false"/>
Save server.xml and restart the Symantec Endpoint Protection Manager Service.
Create a copy of C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\instances\sepm-api\conf\server.xml and open the original in a text editor.
Add an SSLCertificateChainFile reference to the chain certificate on the WebService <Connector> tag.
For example:

<Service name="WebService"> <Connector SSLCertificateFile="C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\..\apache\conf\ssl\server.crt" SSLCertificateKeyFile="C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\..\apache\conf\ssl\server.key" SSLCipherSuite="HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!3DES:!RC4" SSLEnabled="true" SSLHonorCipherOrder="true" SSLProtocol="TLSv1.2" Server="SEPM" acceptCount="100" allowTrace="false" allowUnsafeLegacyRenegotiation="false" clientAuth="want" disableUploadTimeout="true" enableLookups="false" keystoreFile="C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\etc\keystore.jks" keystorePass="<HashedKeystorePass>" maxHeaderCount="100" maxParameterCount="1000" maxPostSize="2097152" maxSavePostSize="4096" port="8446" protocol="org.apache.coyote.http11.Http11AprProtocol" scheme="https" secure="true" useBodyEncodingForURI="true" xpoweredBy="false"/>

To:
<Service name="WebService">
<Connector SSLCertificateChainFile="C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\..\apache\conf\ssl\server-ca.crt" SSLCertificateFile="C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\..\apache\conf\ssl\server.crt" SSLCertificateKeyFile="C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\..\apache\conf\ssl\server.key" SSLCipherSuite="HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!3DES:!RC4" SSLEnabled="true" SSLHonorCipherOrder="true" SSLProtocol="TLSv1.2" Server="SEPM" acceptCount="100" allowTrace="false" allowUnsafeLegacyRenegotiation="false" clientAuth="want" disableUploadTimeout="true" enableLookups="false" keystoreFile="C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\etc\keystore.jks" keystorePass="<HashedKeystorePassword>" maxHeaderCount="100" maxParameterCount="1000" maxPostSize="2097152" maxSavePostSize="4096" port="8446" protocol="org.apache.coyote.http11.Http11AprProtocol" scheme="https" secure="true" useBodyEncodingForURI="true" xpoweredBy="false"/>
Save server.xml and restart the Symantec Endpoint Protection Manager API Service.

Note: In 12.1 there is only one instance of Tomcat so these connectors are combined into a single server.xml located in tomcat/conf.