What types of digital certificates are supported by the Symantec Endpoint Protection Manager?

Article:TECH161487  |  Created: 2011-06-02  |  Updated: 2012-03-13  |  Article URL http://www.symantec.com/docs/TECH161487
Article Type
Technical Solution


Digital certificates are the industry standard for authenticating and encrypting sensitive data. If you want to prevent the reading of information as it passes through routers in the network, you need to encrypt the data. Therefore you need a digital certificate that uses the HTTPS protocol.

As part of this secure procedure, the server identifies and authenticates itself with a server certificate. Symantec uses the HTTPS protocol for the communication between all the servers, clients, and optional Enforcers in a network.

You must also enable encryption on Symantec Endpoint Protection Manager so that the server identifies and authenticates itself with a server certificate. If you do not enable this option, then the installation of a digital certificate is not effective.


SIG files are not updated for existing groups and not published for new ones after updating Endpoint Protection Manager certificate

"Invalid private key file" or "Invalid keystore file" errors when updating Endpoint Protection Manager certificate.


Invalid certificate type, or invalid certificate signature algorithm


The management server supports the following certificate file formats. As of SEP 12.1 all certificates must be signed with an RSA-based digital signature:

  • JKS keystore file (.jks) -- public certificate and private key stored in one file
    A Java tool that is called keytool.exe generates the keystore file. Symantec supports only the Java Key Standard (JKS) format. The Java Cryptography Extension (JCEKS) format requires a specific version of the Java Runtime Environment (JRE). The management server supports only a JCEKS keystore file that is generated with the same version as the Java Development Kit (JDK) on the management server. The keystore must contain both a certificate and a private key. The keystore password must be the same as the key password.
  • PKCS12 keystore file (.pfx and .p12) -- another format in which public certificate and private key are stored in one file
  • Public certificate and private key in seperate files (DER or PEM format)
    Symantec supports unencrypted (public) certificates and private keys in the DER or the PEM format. PKCS8-encrypted private key files are not supported.

NOTE: as of SEP 12.1 the Manager requires that its certificates be signed with an RSA-based digital signature (e.g. "MD2 with RSA", "MD5 with RSA", or "SHA.1 with RSA"). Earlier versions of SEPM did not have this restriction, and an upgraded SEPM will continue to use whatever certificate it was given, but if there is a disaster recovery with a cleanly installed SEP 12.1 Manager the certificate wizard will not allow re-importing the old certificate. For a list of some signature types, see http://en.wikipedia.org/wiki/Digital_signature#Some_digital_signature_algorithms

You may want to back up the information about the certificate as a safety precaution. If the management server is damaged or you forget the keystore password, you can easily retrieve the password.


Supplemental Materials

Value2326987, 2323127

SIG files are not updated for existing groups and not published for new ones after updating certificate with DSA private key

Article URL http://www.symantec.com/docs/TECH161487

Terms of use for this information are found in Legal Notices