Endpoint Protection

 View Only

  • 1.  Change key length to 2048bit or higher for self signed certificate for secure client communication on SEPM

    Posted Dec 09, 2014 03:47 AM

    Hey people.

    Ive been looking everywhere for some kind of information on how to create a self signed certificate, for secure client communication between SEPM server and the SEP client with a key length of 2048 (not the default 1024).

     

    Anyone that can guide me in the correct direction?

     

    We dont want to use a CA Signed certificate for this because of our CA policy (2 year duration on certificates)

     

    I got the web server certificate handled just fine, which is signed by our own CA.

     

    Just need assistance on how to change the default key length on the SEPM Self signed certificate..

     

    Best Regards



  • 2.  RE: Change key length to 2048bit or higher for self signed certificate for secure client communication on SEPM
    Best Answer

    Posted Dec 09, 2014 03:50 AM

    Does this help

    Responding to Symantec Endpoint Protection Manager certificate compromises

    Article:TECH216584 | Created: 2014-04-10 | Updated: 2014-04-18 | Article URL http://www.symantec.com/docs/TECH216584

    See below thread

    https://www-secure.symantec.com/connect/forums/upgrade-endpoint-protection-1024-bit-certificates



  • 3.  RE: Change key length to 2048bit or higher for self signed certificate for secure client communication on SEPM

    Posted Dec 09, 2014 03:59 AM

    Thank you. Ill try it out :)



  • 4.  RE: Change key length to 2048bit or higher for self signed certificate for secure client communication on SEPM

    Posted Dec 09, 2014 04:36 AM

    Any documentation on the maximum keylength?



  • 5.  RE: Change key length to 2048bit or higher for self signed certificate for secure client communication on SEPM

    Posted Dec 09, 2014 04:57 AM

    Oh.. I noticed something..

    The certificate generated by the command:

    keytool -genkey -keyalg RSA -alias tomcat -keystore keystore.jks -storepass <your password> -validity 3680 -keysize 2048

    Replaces the certificate on the web part aswell?

    i thought it was 2 different certificates

    1 for the web server and 1 for the secure client communication?

    but its the same certificate all the way?

     

    Best regards



  • 6.  RE: Change key length to 2048bit or higher for self signed certificate for secure client communication on SEPM

    Posted Dec 09, 2014 04:57 AM

    I am trying to search if any document will find .

    as per document showing keysize 2048 bit.



  • 7.  RE: Change key length to 2048bit or higher for self signed certificate for secure client communication on SEPM
    Best Answer

    Posted Dec 09, 2014 04:59 AM

    yes both of same CA

    Follow the steps in Updating the server certificate on an Endpoint Protection Manager without breaking client-server communications to update your manager with the new certificate.

    Obtaining a new Certificate Authority (CA) signed certificate

    If you updated your manager with a CA-signed certificate, you will need to contact the certificate issuer for assistance in doing both of the following: generating a new, uncompromised public/private key pair, and revoking the compromised certificate.

    Follow the steps in Updating the server certificate on an Endpoint Protection Manager without breaking client-server communications to update your manager with the new certificate



  • 8.  RE: Change key length to 2048bit or higher for self signed certificate for secure client communication on SEPM

    Posted Dec 09, 2014 06:54 AM

    Thanks for the feedback James

    I didnt know that it was the same Certificate for both functions :)

    We have updated our certificate with a Signed certificate from our own PKI.

    Thanks for clearing it out for me :D

    Best Regards