A weak Key Exchang Algorithm is detected in Symantec Endpoint Protection Manager (e.g. 1024-bit RSA key).
SEPM server generates its own self-signed certificate using a 2048 bit SHA256RSA key pair during its initial Management Server Configuration Wizard (MSCW) run. This certificate is stored in two locations and formats on the SEPM file system.
The certificate and private key are stored in Java Keystore as:
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\etc\keystore.jks
The certificate and private key are also stored separately in the Privacy Enhanced Mail (PEM) format as:
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl\server.crt
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl\server.key
The weak RSA 1024-bit key being detected in SEPM is due to using an old self-signed certificate which was generated the first time SEPM was installed in the environment. Older SEPM versions used by default an RSA Key size of 1024 bits. Whenever an upgrade is performed, SEPM will continue to use the same certificate by default (even if a new recovery key is generated). This is done to prevent SEP clients from losing connectivity with SEPM.
To resolve this issue, you can simply update your SEPM self-signed certificate on your SEPM. The newly created certificate will have a 2048-bit RSA key. If you are using an older SEPM version (prior to 14.3), you should first upgrade to the latest available build.
When updating the certificate, it is essential to strictly follow some steps to avoid breaking communication with SEP clients. These steps are described in the article linked below:
If you cannot upgrade, you can manually generate a new self-signed certificate with a 2048-bis RSA key and then import it into you SEPM console. You can refer to below document:
Alternatively, if you have only a few clients connected to SEPM, you could simply update the certificate on the SEPM by following the steps below.
Afterward, you can manually replace the Sylink on every client.