Upgrading Default 1024-bit Encryption Certificates to 2048-bit Encryption Certificates for SCSP

Article:HOWTO77126  |  Created: 2012-06-11  |  Updated: 2014-03-12  |  Article URL http://www.symantec.com/docs/HOWTO77126
Article Type
How To


Support for 2048-bit keys was introduced in Openssl 0.9.7, and certificates of this type will therefore work with SCSP 5.2.4 and later. However, since SCSP 5.2.9, the keys will be generated with a SHA256 hash. This is not supported until Openssl 0.9.8. They will therefore not work on versions of SCSP prior to 5.2.6 in which Openssl 0.9.8n was introduced.

In order to create 2048-bit certificates on an SCSP 5.2.9 server to be compatible with SCSP 5.2.4 agents, you would need to add the following switch to the command lines mentioned below:

“-sigalg SHA1withRSA”.


To create new encryption keys (certs) for the SCSP server, the following preparation should occur:
1.    Copy the original cert files to a safe location.  These files can be found in:

%programfiles%\Symantec\Critical System Protection\server


2.    Save a copy of server.xml found in:
%programfiles%\Symantec\Critical System Protection\server\tomcat\conf
From the server.xml file, record the value for keystorepass, it will be an alphanumeric string of 40 characters

3.    Record the Common Name (CN) parameter.  For an SCSP server, this value will always be  SCSP_Management_Server  

4.    Record the hostname of the SCSP server, this will be used to fill in the OU parameter

5.    Locate the following third-party tools found in the SCSP installation folder:
keytool.exe, found in:
%programfiles%\Symantec\Critical System Protection\server\jre\bin

6.    openssl.exe, found in:
%programfiles%\Symantec\Critical System Protection\Server\tools


New Key Generation:

Notes about the steps below:
•    The storepass and the keypass options are taken from the server.xml
•    When using keytool.exe, specify the dname on the command-line to prevent keytool from prompting for each value on the command line
•    The OU should be entered in all uppercase
•    This process creates a self-signed certificate without a CA trusted authority, this is the same configuration as your original SCSP installation
•    The larger keysize will likely affect server performance, especially if already heavily loaded.

The following steps will generate a 2048-bit RSA key for agent-manager communication:

1.    From a command line, access the keytool utility by navigating to:
%programfiles%\Symantec\Critical System Protection\server\jre\bin
Copy server-cert.ssl to this location

2.    Via the command line, enter the following:
keytool.exe -delete -keystore server-cert.ssl -alias sss -storepass [40 character alpha-numeric string found in server.xml]

3.    Via the command line, enter the following:
keytool.exe -genkey -keystore server-cert.ssl -alias sss -keyalg RSA -sigalg SHA1withRSA -keysize 2048 -storepass [40 character alpha-numeric string found in server.xml] -keypass [40 character alpha-numeric string found in server.xml] -dname "CN=SCSP_Management_Server, OU=[SCSP server hostname]"

4.    Via the command line, enter the following:
keytool.exe -export -v -keystore server-cert.ssl -alias sss -rfc -file exported-cert.crt  -storepass [40 character alpha-numeric string found in server.xml]

5.    Copy exported-cert.crt to [SCSP manager install path]\server\tools

6.    Via the command line, navigate to [SCSP install path]\server\tools and locate openssl.exe

7.    Via the command line, enter the following (from [SCSP install path]\server\tools):
openssl x509 -out agent-cert.der -outform DER -in exported-cert.crt
When running this command, a WARNING message may be generated, this message can be ignored.

8.    Via the command line, enter the following:
openssl x509 -in agent-cert.der -inform DER -text -out agent-cert.pem -outform PEM
When running this command, a WARNING message may be generated, this message can be ignored.

9.    Rename the output file, agent-cert.pem, to agent-cert.ssl


Replacing Existing Certificates with new 2048-bit Certificates


SCSP Management Server

1.    Stop the SCSP management service

2.    Replace the original server-cert.ssl  found in
%programfiles%\Symantec\Critical System Protection\server
with the new certificates created in keytool

3.    Replace the original agent-cert.ssl  found in:
%programfiles%\Symantec\Critical System Protection\server
with the renamed agent-cert.ssl created by openssl

4.    Restart the SCSP management service

Special note:
Assuming server.xml is not changed, and the new keystore, cert and keystore passwords match what's already in the server.xml, then the new certificate will automatically be used with the console and you should be asked at next console login to accept the new certificate.  If not asked, then remove the siscerts file from the console's certificate store:


which is usually:

%programfiles%\Symantec\Critical System Protection\Console\certs\siscerts

After this file is removed, start the console and you'll then be asked to accept the new certificate you generated.


SCSP Agent on Primary SCSP Server

1.    Copy the newly created agent-cert.ssl to:
 "%programfiles%\Symantec\Critical System Protection\server"

2.    Update Agent to use new agent-cert.ssl with this command (forces use of new agent-cert.ssl file):
sisipsconfig -c agent-cert.ssl

3.    Test connection from command prompt:
sisipsconfig –t

NOTE: ON Windows systems, sisipsconfig works from:
"%programfiles%\Symantec\Critical System Protection\agent”
NOTE: On UNIX systems, sisipsconfig works from /opt/Symantec/scspagent/ips

Article URL http://www.symantec.com/docs/HOWTO77126

Terms of use for this information are found in Legal Notices