Is there a way to manually force the renewal of the certificate presented by the Endpoint Prevent detection servers on port 10443, used for communication with Agents?

The expiry date of that certificate can be seen when you open a browser and enter https://EP_detection_server_FQDN_or_IP:10443. The browser will show a "this site can't be reached" error because there is no website under that port, but you will be able to check the details of the certificate presented by the EP server on that port. 

Usually if the built-in certificates are used on Enforce, detection servers and Agents, the infrastructure should be able to renew all relevant certificates by itself in the background. 

If however this does not happen, or there is a need to renew the 10443 EP certificate earlier, this certificate renewal can be forced by following the below steps:

1) Run the below SQL query to pull which monitor keystore .jks files are used by which EP server:

SELECT im.monitorname, mck.keystorefilename
FROM InformationMonitor im
JOIN EndpointChannel ec ON im.informationmonitorid = ec.informationmonitorid
JOIN MonitorChannelKeystore mck ON mck.monitorchannelkeystoreid = ec.monitorchannelkeystoreid;

2) Note down the name of the monitor keystore filename for the EP detection servers for which you would like to renew the certificate. 
3) On Enforce, go to the folder where the keystores are located - on Windows, by default, this is C:\ProgramData\Symantec\DataLossPrevention\EnforceServer\<version>\keystore.
4) Stop the Symantec DLP Detection Server Controller service on Enforce.
5) Rename and backup the monitorXX_keystore_vXX.jks files which have been listed by the SQL query from point 1 as belonging to specific Endpoint detection servers. XX's here are internal ID numbers of the detection servers and versions of their keystores. Rename the file to i.e. samefilename.jks.bak. 
6) Start Symantec DLP Detection Server Controller service and wait for a couple of minutes. Enforce should create new versions of the monitor .jks files for the Endpoint detection servers whose .jks files have been backed up. I.e. if the original filename was monitor6_keystore_v3.jks, then the new file will be named monitor6_keystore_v4.jks. 
7) Once the files have been created, go to the Endpoint servers and recycle the service Symantec DLP Detection Server on each server whose monitor keystore file has been regenerated. This is required so that the detectors receive the renewed certificate. 
8) Check again the website https://EP_detection_server_FQDN_or_IP:10443 - it should now present a new certificate with new validity/expiration dates. 

The above steps worked also when Load Balancer was in place: Article Id: 261982 Aggregator logs show javax.net.ssl.SSLException: Received fatal alert: certificate_expired for IP that belongs to Load Balancer