Weak Key Exchange Algorithm detected in Symantec Endpoint Protection Manager
search cancel

Weak Key Exchange Algorithm detected in Symantec Endpoint Protection Manager


Article ID: 276685


Updated On:


Endpoint Security Complete Endpoint Protection


A weak Key Exchang Algorithm is detected in Symantec Endpoint Protection Manager (e.g. 1024-bit RSA key).


SEPM server generates its own self-signed certificate using a 2048 bit SHA256RSA key pair during its initial Management Server Configuration Wizard (MSCW) run. This certificate is stored in two locations and formats on the SEPM file system.

The certificate and private key are stored in Java Keystore as:

C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\etc\keystore.jks

The certificate and private key are also stored separately in the Privacy Enhanced Mail (PEM) format as:

C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl\server.crt


C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl\server.key

The weak RSA 1024-bit key being detected in SEPM is due to using an old self-signed certificate which was generated the first time SEPM was installed in the environment. Older SEPM versions used by default an RSA Key size of 1024 bits. Whenever an upgrade is performed, SEPM will continue to use the same certificate by default (even if a new recovery key is generated). This is done to prevent SEP clients from losing connectivity with SEPM.



To resolve this issue, you can simply update your SEPM self-signed certificate on your SEPM. The newly created certificate will have a 2048-bit RSA key. If you are using an older SEPM version (prior to 14.3), you should first upgrade to the latest available build.

When updating the certificate, it is essential to strictly follow some steps to avoid breaking communication with SEP clients. These steps are described in the article linked below:

Update the server certificate on the management server without breaking communications with the client (broadcom.com)

If you cannot upgrade, you can manually generate a new self-signed certificate with a 2048-bis RSA key and then import it into you SEPM console. You can refer to below document:

Generating a new default self-signed certificate (broadcom.com) 

Alternatively, if you have only a few clients connected to SEPM, you could simply update the certificate on the SEPM by following the steps below. 

How do I replace the client-server communications file on the client computer? (broadcom.com) 

Afterward, you can manually replace the Sylink on every client.

Updating or restoring a server certificate (broadcom.com)