Symantec Endpoint Protection Manager: Replacing Symantec/Broadcom self-signed certificate with CA issued certificate

Post author:admin
Post published:July 9, 2021
Post category:IT / Microsoft

Follow the Broadcom article how to Use a signed certificate with Endpoint Protection Manager. I followed this article to generate CSR. https://knowledge.broadcom.com/external/article/176335/use-a-signed-certificate-with-endpoint-p.html. It works out well up to this point. You can use the .csr file to request signed certificate from the internal CA where you download .cer file.
openssl.exe req -config ..\conf\ssl\openssl.cnf -new -sha256 -key ..\conf\ssl\newserver.key -out ..\conf\ssl\newserver.csr

2. Update the server certificate on the management server without breaking communications with the client. https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/managing-the-client-server-connection-v26173180-d15e3300/Configuring-management-servers-and-the-server-client-connection/best-practices-for-updating-server-certificates-an-v57845489-d15e3587/update-the-server-certificate-on-the-management-se-v57256809-d15e4328.html

3. Updating or restoring a server certificate. https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/managing-the-client-server-connection-v26173180-d15e3300/Configuring-management-servers-and-the-server-client-connection/best-practices-for-updating-server-certificates-an-v57845489-d15e3587/updating-or-restoring-a-server-certificate-v7641581-d15e3981.html

Broadcom does not provide information as to how to package the certificate file (newserver.cer) with the key file (newserver.key) for import. SEPM will except the following certificate types for import: Jks keystore, PKCS12 keystore(.pfx or .p12) or Certificate and Private Key file.

Make sure CA signed newserver.cer file is copied into the same directory as our key (newserver.key)file.

We need to package the certificate file (newserver.cer) and the key file (newserver.key) into a PKCS12 (newserver.pfx) file that we can import into SEPM.

Use the following command, enter the key file password when prompted and then create a new export password when prompted. The export password will be used when we import the file into SEPM certificate upgrade.

opnessl pkcs12 -inkey ..\conf\ssl\newserver.key -in ..\conf\ssl\newserver.cer -export -out newserver.pfx.

Now, when you are given the option to update server certificate, choose PKCS12 keystore (.pfx or .p12), choose the newserver.pfx generated above and enter the password. You should be good to go.

I lost the client server communications. I exported communication settings and manually imported to each clients to re-established the communications.

Tags: Certificate Authority, Symantec EndPoint Manager

I am a goal-oriented Infrastructure System Engineer and Information System Security Officer with over 10 years’ of experience in planning and implementation of network, servers, virtualization and security technologies . Background includes hands-on experience with multi-platform, LAN/WAN environments, assessing and implementation of security controls in using ODAA and RMF guidance. Demonstrated record of success in migrating, troubleshooting Servers and increasing efficiency.

You Might Also Like

Exchange Server 2013 and it’s End of Support approaching fast

Exchange 2013 – update CU 10 to CU 15 failed at 16 of 17 Steps

SharePoint 2016 Certificate Error