Best practice to generate a new default self-signed certificate in case the private key for your Symantec Endpoint Protection Manager (SEPM) certificate may have been compromised.
Symantec Endpoint Protection Manager 14.X
To maintain the integrity of your Public Key Infrastructure (PKI) you must assume any suspected compromise of your manager's private key is legitimate. Steps must be taken to replace the certificate on compromised managers as soon as possible.
Generating a new default self-signed certificate
If your manager is configured to use the default self-signed certificate, you will need to generate a new certificate, with a new public/private key pair.
Obtaining a new Certificate Authority (CA) signed certificate
If you updated your manager with a CA-signed certificate, you will need to contact the certificate issuer for assistance in doing both of the following: generating a new, uncompromised public/private key pair, and revoking the compromised certificate.
Follow the steps in Updating the server certificate on an Endpoint Protection Manager without breaking client-server communications to update your manager with the new certificate.
Add (-ext) as indicated below before the SAN command line:
keytool -genkey -keyalg RSA -sigalg SHA256withRSA -alias tomcat -keystore keystore.jks -storepass <your password> -validity 3680 -keysize 2048 -ext SAN=dns:<Domain(DNS) Name>,IP: <System IP address>