Certificate error when using a web browser to view the Endpoint Protection Manager console

book

Article ID: 152182

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

You see certificate errors when using a web browser to view the Symantec Endpoint Protection Manager console.

One or more of the following scenarios may occur:

  • When you connect to Symantec Endpoint Protection Manager you are warned by your web browser that there is a problem with the security certificate. The warning may appear as soon as you access the remote console Web page.
  • When connecting to the Symantec Endpoint Protection Manager Web Console using Internet Explorer, the tab panel sidebar (containing Home, Monitors, Reports, Policies, Clients, and Admin tabs) does not display.
  • When connecting to the Symantec Endpoint Protection Manager Web Console using Firefox, the first three tabs (Home, Monitors, and Reports) do not display, and you see the message "Your connection is not secure" (error code: sec_error_unknown_issuer), with no option to add the certificate to trust. 

Cause

The web browser does not have a certificate for a remote Symantec Endpoint Protection Manager console, or the certificate has not been installed.

 

Resolution

To resolve this, you need to install the manager's certificate as a trusted root CA.  This certificate may be the self-signed version that comes with the product, or a custom certificate that you've provided.

Before you begin

This document describes a procedure for installing a self-signed certificate to the Trusted Root Certification Authorities store on most Windows operating systems, which is unsupported and are provided for your convenience only. Due to the nature of this procedure, Symantec Technical Support cannot provide support for this procedure.

Install the certificate

To use this procedure, you must be logged on to the computer as Administrator. In Windows Vista and later, you must start the browser with Administrator privileges (right-click on the browser icon and click Run as administrator; for Windows 8, search for the program name in the Metro start screen, right-click on the program name and click on Advanced, and then click Run as administrator.)

You need only perform this procedure once for any of the consoles that reside on the same host, but you will need to repeat these steps if a new certificate is installed or regenerated.

To install the certificate, perform the following steps, depending on your browser:

Internet Explorer - Firefox - Chrome

Internet Explorer

  1. Start Internet Explorer with Administrator privileges, and in the address box, type the following URL where hostname is the IP address or computer name of the server where the manager is installed:

    http://hostname:9090
     
  2. Click on Symantec Endpoint Protection Manager Web Console.
  3. On the certificate alert screen ("There is a problem with this website's security certificate"), click Continue to this website (not recommended).
  4. In the address bar, click the red Certificate Error alert.
  5. In the Security Alert dialog box, click View Certificates
    Under Issued to, look at the host name and confirm that it is identical to the name you used in Step 1. If they are different, start over on Step 1, using the exact name listed on the certificate.
  6. Click Install Certificate to launch the Certificate Import Wizard.
    Note: The Install Certificate button may not be visible until the server is added to your browser's Trusted sites.
  7. For Internet Explorer 10 (requires 12.1.2 or later), ensure that you select Current User for Store Location. Otherwise, just click Next.
  8. Click Place all certificates in the following store, click Browse, and then click Trusted Root Certification Authorities.
    Note: You may need to check Show physical stores, then under Trusted Root Certification Authorities, click Local Computer. This allows the certificate to be trusted by all users on this computer, rather than just the current user.
  9. Click OK, click Next, and then click Finish.
  10. Look for the Security Warning dialog. If you do not see it, your certificate is not imported.
    In the Security Warning dialog, review the URL and other information. If it is correct, then click Yes to install the certificate.

Firefox

Note: If you are using the default self-signed certificate, due to the way that Firefox handles self-signed certificates, you need to create a Security Exception:

  1. Start Firefox with administrator privileges.
  2. Within Firefox, click Options (or Options > Options) > Advanced. Click on the Certificates (or Encryption) tab, and then click View Certificates.
  3. Click the Servers tab, and then click Add Exception.
  4. In the Location field, type the following URL where hostname is the IP address or computer name of the server where the manager is installed:

    https://hostname:8445
     
  5. Click Get Certificate. When the Certificate Status appears, click on View... and confirm that the information is valid and correct for your server. If it is not, ensure you entered the correct information in the previous step.
  6. Click on Confirm Security Exception.
  7. Click on Add Exception once again.
  8. In the Location field, type the following URL where hostname is the IP address or computer name of the server where the manager is installed:

    https://hostname:8443
     
  9. Click Get Certificate. When the Certificate Status appears, click on View... and confirm that the information is valid and correct for your server. If it is not, ensure you entered the correct information in the previous step.
  10.  Click on Confirm Security Exception and then click OK > OK to close the Options window.

To import a certificate that is not self-signed, do the following steps:

  1. Start Firefox and in the address box, type the following URL where hostname is the IP address or computer name of the server where the manager is installed:

    http://hostname:9090
     
  2. Click on Symantec Endpoint Protection Manager Certificate, and then click on Save File.
    The file will be saved to your default Downloads folder.
  3. Within Firefox, go to Options (or Options > Options) > Advanced. Click on the Encryption tab, View Certificates, Servers, then click on Import....
  4. Browse to your default Downloads folder, click on the file you just downloaded, click Open, and then click OK > OK to close the Options window.
    You should be able to successfully access the web console.

You may also need to add an exception for https://server_ip:8446 within the Firefox browser:

  1. Click Tools (or the menu icon) > Options > Advanced > Certificates > View Cerificates.
  2. Click Servers, and then click Add Exception.
  3. Enter https://server_ip:8446 in the location, and then click Get Certificate.
    Server_IP is the IP address of the Symantec Endpoint Protection Manager server. 
  4. Click Confirm Security Exception.

Chrome

Chrome is supported with Symantec Endpoint Protection 12.1.2 or later. This process allows you to add the certificate to the Windows Certificate Manager using Chrome.

  1. Start Chrome with Administrator privileges, and in the address box, type the following URL where hostname is the IP address or computer name of the server where the manager is installed:
     
    http://hostname:9090
     
  2. Click on Symantec Endpoint Protection Manager Certificate to download the security certificate.
  3. Open Customize and control Google Chrome by clicking on the icon to the right of the address bar (three horizontal lines).
  4. Click Settings, and then scroll to the bottom of the page and then click Show advanced settings.
  5. Scroll down and then click on Manage Certificates.
  6. In the Personal tab, click Import and then click Next.
  7. Click Browse, select the certificate file you downloaded in Step 2, and then click Open. Click Next.
  8. In the Certificate Import Wizard, click Place all certificates in the following store, click Browse, and then click Trusted Root Certification Authorities. Click OK, and then click Next.
  9. Click Finish. If you receive a security warning window, verify the information is correct, and if it is, then click Yes to install the certificate.

To test the certificate installation, close the browser, restart it, and attempt to load the site again. If you do not see the red background in the address bar, the certificate was loaded.

Additional information

If you still have issues after adding the certificate, you may need to add a URL exception for http://server_ip:9090, where server_ip is the IP address of the Symantec Endpoint Protection Manager server, in the Java Control Panel. To do this, see the Oracle Java article, How can I configure the Exception Site List?