Endpoint Protection

Hi everybody.

I'd like to know if Symantec Endpoint Protection Manager 12.1.x has some requirements about the customized certificate that it accepts in Admin -> Servers -> [click on specific server] -> Manage Server Certificate -> Update the server certificate, especially those for pkcs12 stores.

In particular:

- the certificate must be a CA?

- is there a required hash (or a minimum and maximum)?

- is there a required string mask setting? (as those in openssl string_mask option, ie default, utf8only, etc)

- is there a required length for keys (1024, 2048...)?

Such questions arose from the fact that in the past two weeks I tried countless times to update the certificates without success. The syntax I used to build the pkcs12 was the following:

openssl pkcs12 -export -in xyz.crt -inkey xyz.key -certfile hk.pem -name "Symantec Endpoint Protection" -out symantecserver.p12

Each time then, after trying the upgrade, the console rejected it with the following error: "request contents invalid" (as in attachment). I tried everything (changing hash, string mask, key length, etc) except the solution that I finally found: do not include the parent certificate into the package! (however, I'd like to know if this is the right move to solve the issue...)

with the following command, everything was fine:

openssl pkcs12 -export -in xyz.crt -inkey xyz.key -name "Symantec Endpoint Protection" -out symantecserver.p12

However, my questions remain valid, above all the first one: to work properly (ie to encrypt properly the communications between SEPM and SEP clients) the certificate must be a CA? Such question founds on the doubt that maybe, being a CA, SEPM could create a specific certificate for each client.

As a last question, is there a thorough way to debug SEPM if certificates are rejected?

Thanks to everybody,

Diego

See if this helps

About server certificates

Hi Brian,

unfortunately, I already used that documentation, that is clear but IMHO is quite trivial and generic.

Thanks,

Diego

Regarding your primary question, the certificate (like the self-signed one generated by default) does not need to be signed by a trusted Certificate Authority.

Using a trusted certificate however, does allow you to tick the "Verify Certificate..." option in the Management Server List for client communications.

Hi SMLatCST,

indeed the question was different: the certificate must be a CA? I.e.: a self signed certificate is usually a CA (in openssl options as nsCertType=sslCA, emailCA and basicConstraints = CA:true do enforce it), and it can be used to sign in turn other certificates (secondary CAs or final client or server certificates). In the case of SEPM, its certificate must be a CA (whether signed by a trusted certification authority or not), or it is just perfect a normal ssl server certificate? In its internals, SEPM creates a different certificate for each client signed with its certificate to encrypt communications (thus using the CA ability to sign other certificates)?

Thanks,

Diego

It's just a normal SSL cert.  The below article shows what it's used for (at no point does it mention any creation or signing of client specific certificates):

http://www.symantec.com/docs/TECH210852