You received an email from your SEPM stating the SEPM certificate is expiring or has expired.
search cancel

You received an email from your SEPM stating the SEPM certificate is expiring or has expired.

book

Article ID: 204411

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

In SEP 14.3 RU1 or later, administrators will receive an email from the Symantec Endpoint Protection Manager (SEPM) 30 days before the SQL Server Certificate will expire.  An email will also be sent when the certificate expires.  After the certificate expires, you'll no longer be able to login to the SEPM.  

The 30 day notification will have the subject line.

The Symantec Endpoint Protection Manager's SQL Server Certificate expires within 30 days

If the certificate has expired, the notification will contain the following text.

Subject: The Symantec Endpoint Protection Manager can not connect to the Database

Body:

Message from
Server name: <name>
Server IP: <IP>

Symantec Endpoint Protection Manager (SEPM) cannot connect to the Microsoft SQL Server database because SQL Server uses a certificate that Windows does not trust.  Therefore, you must import the certificate that SQL Server uses into the Local Machine Certificate Store (Trusted Root Certification Authorities) of the Windows system where the management server is installed and restart the management server service.

Environment

14.3 RU1 and later.

Cause

SQL Server Certificate is 30 days from expiring or has already expired

Resolution

If the certificate is still valid, but you've received the 30 day notification, please update the server certificate and run the Management Server Configuration Wizard after that is completed to update the certificate in SQL. Do not use a recovery file! Steps 8-10 below outlines this process, the other steps would not be needed if it has not already expired.

If the certificate has already expired, the following steps can be taken to correct the issue with either a self-signed, or custom (CA) certificate.

  1. Open the SQL Server 2017 (or 2014) Configuration Manager
  2. Go to SQL Server Network Configuration -> Right-click and choose Properties on "Protocols for <databasename>"  (The default database name is SQLEXPRESSSYMC)
  3. Set Force Encryption to No and click OK
  4. Restart the SQL Server service
  5. Edit the root.xml in <SEPM directory>\tomcat\conf\Catalina\localhost\ and change:
    encrypt=true
    to 
    encrypt=false
  6. Save and close the file
  7. Restart the Symantec Endpoint Protection Manager service
  8. Follow the steps to update the server certificate without breaking communication.
    -  The SEPM will show an error on login and the top 3 tabs but should allow you to log in and complete this process.
  9. After that process is completed, run the Management Server Configuration Wizard to Reconfigure the Server. Do NOT use a recovery file! This will update the SQL certificate to the new one the SEPM is using and reenable Force Encryption.
  10. Login to the SEPM and confirm it is now working.

Additional Information

SEP-69123

ESSKB-35

日本語