REPLACE CERTIFICATE

To replace a certificate, on the Certificate Management page (Settings > All Settings > Notification Server > Certificate Management), you can do the following:

1. Click the certificate that you want to replace, and then, on the toolbar, click Replace.
   
   
2. Select the new certificate and confirm the replacement process.
   - Note that the replacement of the certificate does not occur immediately and the replacement process does not break the connectivity.
   - After you initiate the replacement, the certificate is distributed to the required computers. On the Certificate Management page, you can check the progress of certificate distribution.
   
   
3. When the distribution of the certificate is completed, you can finalize the replacement.
   - Click the certificate that is being replaced, and then, on the toolbar, click Finalize.
   - The finalization task replaces the current certificate with a new one. After finalization, the new certificate will be in use.

If you have not enabled the Auto Refresh... option in the Internet Gateway Manager, on the Servers tab, take the following steps to perform the replacement of the NS root certificate:

1. Initiate the replacement of the NS root certificate.
2. On the Internet gateway computer, in the Internet Gateway Manager, on the Servers tab, manually refresh the required server.
3. Wait until the certificate is distributed to all client computers.
4. Finalize the replacement process.
5. On the Internet gateway computer, in the Internet Gateway Manager, on the Servers tab, manually refresh the required server.

Note that while the replacement is in progress, you can cancel it. Canceling the replacement process does not break connectivity and the old certificate remains in use.

Note:
One thing to consider during the "Replace" process is the values displayed (for example, "2076 of 2393 agents received the new certificate) means that 2393 agents have the reference of the old certificate in the inventory previously sent and 2076 have received the new one also. This number is unrelated to the number of agents that have the CEM policy applied. If the agent does not report the old certificate - it is not included in this 2393 number. Also if some of the agents haven't communicated for a while, ithey will never get a new web certificate and will be in this statistic until it will be deleted as a resource. 

Optional Method:
Many customers want to make sure that the certificate change will work before committing to replacing completely the certificate.
The simplest way to test that the process will work is:

1. Add the new certificate to your Agent Communication Profile (under SMP Console>Settings>All Settings>Agents/Plug-ins>Symantec Management Agent> Symantec Management Agent Communication profiles). Usually is the one with your SMP name. By doing this, you are propagating the new certificate to your client machines while still using the existing one. This just makes the client machines aware of the new certificate
2. After letting your client machines request configuration for a few days (usually 3-5 days), they should be getting the new certificate under the communication profile.
3. After the client machines got the new certificate, then you go to your port bindings in IIS Manager for the Default Website and Symantec Agent site and make the switch on certificates.
4. In most cases that is all that you need to do. 

RENEW CERTIFICATE

The renewal task lets you re-create CEM Agent certificates on cloud-enabled agents.  This task also lets you re-create an Internet gateway reporting certificate that the Internet gateway uses for sending its inventory to the Notification Server.

To renew a certificate, on the Certificate Management page, you can do the following:

• Click the certificate that you want to renew, and then on the toolbar, click Renew.

If you have not enabled the Auto Refresh... option in the Internet Gateway Manager, on the Settings tab, take the following steps to perform the renewal of the Internet gateway reporting certificate:

1. Initiate the renewal of the Internet gateway reporting certificate.
2. On the Internet gateway computer, in the Internet Gateway Manager, on the Servers tab, manually refresh the required server.

REVOKE CERTIFICATE

Revoking a CEM Agent certificate prevents the managed computer from accessing your network in cloud-enabled mode. For example, if a cloud-enabled laptop computer is lost or stolen you need to revoke its certificate immediately.

To revoke a certificate, on the Certificate Management page, you can do the following:

• Click the certificate that you want to revoke, and then on the toolbar, click Revoke.

NOTE:
This information can be found at: Managing Certificates