Create and install a certificate to the SEDR Management appliance

book

Article ID: 178801

calendar_today

Updated On:

Products

Advanced Threat Protection Platform Endpoint Detection and Response

Issue/Introduction

By default the Symantec Endpoint Detection and Response appliance builds a self signed certificate with the IP of the management console. Follow these steps if a custom SSL certificate for use with the Symantec Endpoint Detection and Response (SEDR) appliance is needed. In order for SEP clients and administrator's clients to trust the connection to the appliance's DNS name, you will need a certificate signed by a trusted authority installed onto the appliance.

 

Environment

ATP 3.x or SEDR 4.x

Resolution

Prerequisites:

  1. When creating a certificate for SEP Private Cloud, the certificate must utilize SHA2.
  2. Does not accept an encrypted private key.
  3. As of SEDR 4.6, a Subject Alternative Name value is required.

Steps for creating a CSR:

Note: The steps below for creating a CSR request are for any certificate type or request, they are not product specific.

  1. Log into the command line of a Linux box or a Linux emulator (Like Cygwin64 Terminal).  Do not use the SEDR appliance.  

  2. At the prompt type in: openssl req -newkey rsa:4096 -sha256 -nodes -keyout sedr.privkey.key -out sedr.csr

    Note: This will generate two files: a CSR called 'sedr.csr' and a 4096-bit private key called 'sedr.privkey.key'.

  3. You will be prompted to enter some information for your CSR.
    Example:

    Note: The 'CN' field (Common Name) is where you should enter the fully qualified domain name for the SEDR appliance. 
    Note: For wildcard certificates, the Common Name should be in the format: *.mydomain.com
    Note: It is now necessary to add the 'extra' attributes, you have DNS or IP information you need to add.

  4. Your CSR is now generated. Open the 'sedr.csr' file with a text editor and copy and paste the contents into the enrollment form from your Certificate Authority when requested.

  5. Once you receive the certificate and all intermediate/root CAs in PEM format, you will need to open these files in a text editor. Paste the certificates in this order to build the chain of BASE64 encoded certificates:

     -----BEGIN CERTIFICATE-----

    (Primary SSL certificate: sedr.crt)

    -----END CERTIFICATE-----

    -----BEGIN CERTIFICATE-----

    (Intermediate certificate: Intermediate CA.crt)

    -----END CERTIFICATE-----

    -----BEGIN CERTIFICATE-----

    (Root certificate: ca.crt)

    -----END CERTIFICATE-----

  6. Save the file as sedr.crt and proceed to install the certificate into the SEDR web interface.

Steps for creating a Self Signed Certificate for SEDR

  1. Log into the command line of a Linux computer, or Linux emulator on a Windows computer (Like Cygwin64 Terminal).  Do not use the appliance.

  2. At the command line type in:

    openssl req -newkey rsa:4096 -x509 -sha256 -nodes -days 730 -keyout sedr.privkey.key -out sedr.crt

     

  3. This will prompt you for (Country, State, Organization, CN, etc.)

    Example:

     

  4. Once you step through and key in all of the required information you should have a 'sedr.crt' and 'sedr.private.key'


Steps to add the certificate and private key into SEDR web interface:

  1. Log into the SEDR Appliance.

  2. Click on Settings -> Global and scroll down to "SSL Certificate"

  3. Click on "Edit Certificate"

     

  4. Click on "Browse" for the Certificate and load the "sedr.crt"

  5. Click on "Browse" for the Unencrypted Private Key and load the "sedr.private.key"

  6. Click on "Upload" button.

  7. You should now see the FQDN from the certificate:

To Distribute the new certificate to SEPM, click on the three dots showing in the screen shot to get a menu and select "SEP Policies".

 

Now enter the FQDN for the appliance:

Click on the "Save" button and this will push the new certificate to the SEPM server as a Private Insight policy. 

Note: The SEP clients will get the new certificate when they check in to the SEPM server.  To have the client get the certificate earlier you can right click on the SEP icon and click on "Update Policy".

Attachments