Ok, here is what I have been able to do.....and seems to work...at least for my needs and PCI Compliance
Backup your original .jks files and the Apache SSL files.
Create a new keystore in a temp folder, make sure you use the same password that Symantec assigned to your current keystore (can find it in server.xml file)
keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -sigalg sha256withRSA -validity 1875 -keystore c:\test\keystore.jks -storepass <password>
Once created, export the self signed certificate
keytool -export -v -rfc -alias tomcat -file C:\test\server.crt -keystore c:\test\keystore.jks -storepass <password>
If you want, you can import the original self signed cert that Symantec created when you installed the software, not sure it is needed.
But I imported it and gave it the alias tomcat2
Then export the private key from your new keystore
This will be an encrypted private key....
keytool -v -importkeystore -srckeystore c:\test\keystore.jks -srcalias tomcat -destkeystore server.p12 -deststoretype PKCS12
I took that .p12 file and converted it to a private key file, that was encrypted.
openssl pkcs12 -in c:\test\server.p12 -out c:\test\server_orig.key
So decrypted that:
openssl rsa -in c:\test\server_orig.key -out c:\test\server.key
Now I had my .crt and my .key file....
For the .crt file I had to strip out the
-----BEGIN CERTIFICATE-----
and
-----END CERTIFICATE-----
Stop the two Symantec Services
Symantec Endpoint Protection Manager
Symantec Endpoint Protection Manager Webserver
Copy the server.crt and server.key files to
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl
Copy the keystore.jks to:
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\etc
and
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\jre\bin
Then start the two services above...
Now the SEPM java console works fine once this is done, no issues....and client systems for me have all went green and online.
The web console is not working quite as well, not sure why.
But the first 3 (home, monitors and reports) do not show up. The others do.