Endpoint Protection Small Business Edition

How are the two files
server.crt
and
server.key
generate?

I know that server.crt matches up with the certificate located in the keystore.jks files in both the jre folder and the tomcat folder.

I am wanting to know they were generated, so that I can update those certificates and everything still work...

They are sha1 files, and I want them to be sha256 signed certificates.
 

Have you looked through these:

Best Practices for Managing Symantec Endpoint Protection Certificates and Encryption

How Symantec Endpoint Protection uses encryption and certificates

About server certificates

Regarding the first link.
Where is this tool they speak of:  Manage Server Certificate wizard in the Symantec Endpoint Protection Manager (SEPM) console

I see nothing like that in my cosole when I log in.

In the SEPM go to the Admin page

Under Local Site select your server name and under Tasks select Manage Server Certificate
 

In my console I don't have those options you speak of.

I have inserted an image of what I see....

That's because you're running the small business edition (which is end of support life). I believe these steps only apply to the enterprise version.

Are there any upgrades to my product?
My company just renewed the license on this thing.
 

Are there any steps outlined any where that allow you to do it manually, what the wizard does?

You will need to move to the cloud version ( either managed in the cloud or on-prem). Your licensing representative should've went through this with you.

Roger that

Ok, here is what I have been able to do.....and seems to work...at least for my needs and PCI Compliance

Backup your original .jks files and the Apache SSL files.
Create a new keystore in a temp folder, make sure you use the same password that Symantec assigned to your current keystore (can find it in server.xml file)
keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -sigalg sha256withRSA -validity 1875 -keystore c:\test\keystore.jks -storepass <password>

Once created, export the self signed certificate
keytool -export -v -rfc -alias tomcat -file C:\test\server.crt -keystore c:\test\keystore.jks -storepass <password>

If you want, you can import the original self signed cert that Symantec created when you installed the software, not sure it is needed.
But I imported it and gave it the alias tomcat2

Then export the private key from your new keystore
This will be an encrypted private key....
keytool -v -importkeystore -srckeystore c:\test\keystore.jks -srcalias tomcat -destkeystore server.p12 -deststoretype PKCS12

I took that .p12 file and converted it to a private key file, that was encrypted.
openssl pkcs12 -in c:\test\server.p12 -out c:\test\server_orig.key

So decrypted that:
openssl rsa -in c:\test\server_orig.key  -out c:\test\server.key

Now I had my .crt and my .key file....
For the .crt file I had to strip out the
-----BEGIN CERTIFICATE-----
and
-----END CERTIFICATE-----

Stop the two Symantec Services
Symantec Endpoint Protection Manager
Symantec Endpoint Protection Manager Webserver

Copy the server.crt and server.key files to
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl
Copy the keystore.jks to:
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\etc
and
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\jre\bin

Then start the two services above...
Now the SEPM java console works fine once this is done, no issues....and client systems for me have all went green and online.
The web console is not working quite as well, not sure why.
But the first 3 (home, monitors and reports) do not show up.  The others do.