Symantec Endpoint Protection Manager uses a certificate to authenticate communications between it and the Symantec Endpoint Protection clients. The certificate also digitally signs the policy files and installation packages that the client downloads from it. The clients store a cached copy of the certificate in the management server list. If the certificate is corrupted or invalid, the clients cannot communicate with the server. If you disable secure communications, then the clients can still communicate with the server, but do not authenticate communications from the management server.

You disable secure communications to update the certificate in the following situations:

• A site with a single Symantec Endpoint Protection Manager
  
  
• A site with more than one Symantec Endpoint Protection Manager, if you cannot enable failover or load balancing

Note: If the certificate is corrupted but otherwise still valid, you can perform disaster recovery as a best practice.
See Disaster recovery best practices for Endpoint Protection.

After you update the certificate and the clients check in and receive it, enable secure communications again.

When you update the certificate on a site with multiple management servers and use failover or load balancing, the certificate updates on the management server list. During the process of failover or load balancing, the client receives the updated management server list and the new certificate.

To update the server certificate on a single management server site without breaking communications with the client

1. On the console, click Policies > Policy Components > Management Server Lists.
   
   
2. Find the Management Server List that your clients are using (e.g. Default Management Server List), then under Tasks, click Copy the List, and then click Paste List.
   
   
3. Double-click the copy of the list you just created to edit it, and then make the following changes:
   
   - Click Use HTTP protocol.
   
   
   - For each server address under Management Servers, click Edit, and then click Customize HTTP port.  Enter a custom port here if needed, otherwise leave it at the default of 8014
   
   
4. Click OK, and then click OK again.
   
   
5. Right-click the copy of the list, and then click Assign.  Assign this list to all of your groups and locations. 
   
   
6. On the console, click Clients > Policies > General.
   
   
7. On the Security Settings tab, uncheck Enable secure communications between the management server and clients by using digital certificates for authentication, then click OK. This must be done even if you normally do not use HTTPS.  Be sure to do this for all client groups. 
   
   
   
   Wait a minimum of 24 hours or longer before proceeding to the next steps.  Waiting up to one week is recommended.  This will allow as many clients as possible to download the new communication details from the SEPM.  If you update your certificate prematurely, you will orphan clients and be required to manually reconnect them using a Communication Update Package.
   
   
8. Update the server certificate.
   See Updating or restoring a server certificate.
   
   
9. To re-enable the original settings, wait at least 24 hours or longer.  (Waiting up to one week is recommended.)  Re-check "Enable secure communications between the management server and clients by using digital certificates for authentication", and then reassign the original management server list back to all of your groups.

To update the server certificate on a multi-management server site without breaking communications with the client

Warning: Due to a change in the communication module, client versions 14.2/14.2.1 only cannot use this method to update the server certificate. To avoid breaking communication with these clients, use the single management server site procedure for these client versions, even for multi-management server sites.

1. On the console, ensure that your clients are configured to load balance or failover to at least one other Symantec Endpoint Protection Manager.
   
   See Setting up failover and load balancing.
   
   If you cannot enable load balancing or failover, use the single management server site procedure to first disable then re-enable secure communications.
   
   
2. Update the server certificate on Symantec Endpoint Protection Manager.
   
   See Updating or restoring a server certificate.
   
   
3. Wait at least three heartbeat cycles, and then update the server certificate on the next Symantec Endpoint Protection Manager on the site.
   
   
4. Repeat steps 2 and 3 until each Symantec Endpoint Protection Manager on the site has the new certificate.
   
   Note: Users who are out of the office or on leave may not receive these updates on their device because it is offline. Many institutions run the failover method for 30 days or more to catch as many out-of-office clients as possible. You may want to leave one Symantec Endpoint Protection Manager running for 90 days with the old certificate to ensure that those users are not orphaned.

See About server certificates.

If there is SEPM Replication in place with another SEPM site follow these steps as well in order to trust the new certificate:

Replication fails after updating the Endpoint Protection Manager certificate

Legacy Symantec KB ID: TECH123518