Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrade.
Please accept our apologies in advance for any inconvenience this might cause.

How to install the proper SSL certificate into the SEPM server ?

Created: 18 Jul 2012 • Updated: 23 Jul 2012 | 14 comments
This issue has been solved. See solution.

Hi All,

Does anyone know how to install the SSL certificate that my company have (from Thawte) to secure the SEPM web console ?

Comments 14 CommentsJump to latest comment

Mithun Sanghavi's picture

Hello,

For instructions to add the security certificate to Internet Explorer, see the Symantec Technical Support knowledge base article,How to add the self-signed certificate for Symantec Protection Center or Symantec Endpoint Protection Manager to Internet Explorer.

You may need to accept the self-signed certificate that is required by Symantec Endpoint Protection Manager.

See Accepting the self-signed certificate for Symantec Endpoint Protection Manager.

Logging on to the Symantec Endpoint Protection Manager console http://www.symantec.com/docs/HOWTO55401

Also, Check this Article:

Symantec Endpoint Protection 12.1: Enabling SSL Between the Manager and Clients

http://www.symantec.com/docs/TECH162326

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Dushan Gomez's picture

Hi Mithun,

I'm using SEPM v11.0.6 server not version 12 yet.

Dushan Gomez
IT Manager
VCP 4 and 5 | MCITP Exchange Server | MCTS SharePoint Server | MCP Windows XP

 

SMLatCST's picture

You cannot change the SSL Certificate used to access the SEPM Console.  The only way around the "untrusted certificate" message is to download and install the SEPM's self-signed one generated during installation ("Thumbs Up" to VJWare btw!)

Mithun's article is on applying SSL to the comms between your SEP clients the the SEPM.  Client communications use a separate port and web server within the SEPM, which is why this one can use a trusted cert.

Dushan Gomez's picture

ok, So in this case if I understand correctly is that I cannot reuse the existing SSL certificate owned by my domain into SEPM ?

Dushan Gomez
IT Manager
VCP 4 and 5 | MCITP Exchange Server | MCTS SharePoint Server | MCP Windows XP

 

SMLatCST's picture

...on where you want to put the cert.

So you can't use it to replace the cert used to log into the console, but you can use it to encrypt client/server comms.

It's the former that gets the most questions asked about it, and assuming that's what you want, I'm afraid the answer is no crying

Dushan Gomez's picture

Hi Elements_Media,

So far now I haven't found how to make the SSL certificate encrypt the communication link between the SEPM and the client or my laptop when accessing the web management console.

If you found one, can you please update me as well smiley

Dushan Gomez
IT Manager
VCP 4 and 5 | MCITP Exchange Server | MCTS SharePoint Server | MCP Windows XP

 

SMLatCST's picture

The communications used when accessing the SEPM's web console are encrypted.  This traffic is encrypted using the SEPM's own self-signed certificate (and therefore untrusted by your machines by default), which is the reason behind the certificate warnings you receive.

You don't need to do anything to add SSL encryption for console access, it is already there.

SOLUTION
Dushan Gomez's picture

SMLatCST,

So in this case I can just safely ignore the red warning in my browser about the untrusted SSL certificate?

because it doesn't make any more secure by installing the SSL certificate into the browser.

Dushan Gomez
IT Manager
VCP 4 and 5 | MCITP Exchange Server | MCTS SharePoint Server | MCP Windows XP

 

SMLatCST's picture

The only thing installing the cert does is save you an additional button click to continue to the page wink

Ian_C.'s picture

SMLatCST has it correctly.

It is an unfortunate behaviour of browser manufacturers and how SSL certificates are used. SSL encrypts the traffic, it does not authenticate the person/server. Encryption on everything should be the norm in my opinion. Now, getting authentication right, that's a can of worms. Remember, by default your browser trusts every major CA out there. That includes the usual suspects from China & Russia & Nigeria & even Diginotar from Holland. Only with new Windows updates is trusting Diginotar removed. I deally, your browser should only trust those CAs for websites you regularly visit and know to be legitimate.

Please mark the post that best solves your problem as the answer to this thread.
Dushan Gomez's picture

yes, now I understand the reason behind, thanks all for the explanation and updates.

Cheers !

Dushan Gomez
IT Manager
VCP 4 and 5 | MCITP Exchange Server | MCTS SharePoint Server | MCP Windows XP

 

Elements_Media's picture

Still... to use an self signed certificate is not a good idea! This is widening the attack surface!