You received an email from your SEPM stating the SEPM certificate is expiring or has expired.
search cancel

You received an email from your SEPM stating the SEPM certificate is expiring or has expired.


Article ID: 204411


Updated On:


Endpoint Protection


In SEP 14.3 RU1 or later, administrators will receive an email from the Symantec Endpoint Protection Manager (SEPM) 30 days before the SQL Server Certificate will expire.  An email will also be sent when the certificate expires.  After the certificate expires, you'll no longer be able to login to the SEPM.  

The 30 day notification will have the subject line.

The Symantec Endpoint Protection Manager's SQL Server Certificate expires within 30 days

If the certificate has expired, the notification will contain the following text.

Subject: The Symantec Endpoint Protection Manager can not connect to the Database


Message from
Server name: <name>
Server IP: <IP>

Symantec Endpoint Protection Manager (SEPM) cannot connect to the Microsoft SQL Server database because SQL Server uses a certificate that Windows does not trust.  Therefore, you must import the certificate that SQL Server uses into the Local Machine Certificate Store (Trusted Root Certification Authorities) of the Windows system where the management server is installed and restart the management server service.


14.3 RU1 and later.


SQL Server Certificate is 30 days from expiring or has already expired


Confirm the details of the expiration notice: is it for the SEPM or the SQL database server?

If the SEPM was installed together with SQL Express on the same machine then they share the same certificate: follow the steps to update the ​server certificate without breaking communication and be sure to run the SEPM's Management Server Configuration Wizard afterwards so that SQL Express also gets the updated certificate. The SEPM will show an error on login and the top 3 tabs but should allow you to log in and complete this process.

Do NOT follow the instructions above if the expiration notice is for a standalone SQL server database certificate—the SEPM has nothing to do with the management of that certificate. Use Microsoft's instructions instead: ​Certificate Management (SQL Server Configuration Manager

If the certificate is still valid, but you've received the 30 day notification, then update the server certificate using the appropriate steps above. 

If the certificate has already expired, the following steps can be taken to correct the issue.

  1. Open the SQL Server Configuration Manager
  2. Go to SQL Server Network Configuration -> Right-click and choose Properties on "Protocols for <instance>"  (The default instance for SQL Express is SQLEXPRESSSYMC)
  3. Set Force Encryption to No and click OK
  4. Restart the SQL Server service
  5. Edit the root.xml in <SEPM directory>\tomcat\conf\Catalina\localhost\ and change:
  6. Save and close the file
  7. Restart the Symantec Endpoint Protection Manager service
  8. Update the certificate using the appropriate steps at top of this section.   
  9. Login to the SEPM and confirm it is now working.


    Sometimes modifying root.xml doesn't disable the TLS between SEPM and the database, and the user has to use SetSQLServerTLSEncryption.bat script under *:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools\
    The usage instructions of this tool can be found in *:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Tools\SetSQLServerTLSEncryption.html

Additional Information