When you install SEPM, it creates a self-signed certificate that is used for the local Java console as well as the Web Console.
per this information here:
https://support.symantec.com/en_US/article.TECH210852.html
You can see how things were divided up.
So the self-signed certificate that the Web console uses, has a SHA-1 signature. This is no longer PCI Compliant.
So I had to replace this certificate, and there is no real easy way to do this or any documentation that I could find that would show how to do this for version 12.1.x
So after doing some playing around, I kinda got it working with a new certificate that is SHA512.
Would be glad if anyone could shed any more light on this but here is what I did
*******************************************************************************************************************
Updating SSL Certificate for SEPM Web Console
It uses Tomcat to handle the Web Console instance.
https://support.symantec.com/en_US/article.TECH210852.html
First of all, backup your current keystores.
I did both the Apache keystore and the tomcat keystore
Tomcat -- C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\etc
Apache -- C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\jre\bin
In the Tomcat keystore, you will need to access it using the keytool.exe program located in the jre\bin folder (where the Apache keystore is)
You will need the password to the Tomcat keystore, it is located at C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\conf\server.xml
Stop the two services
Symantec Endpoint Protection Manager
Symantec Endpoint Protection Manager Webserver
Delete the current certificate that is in the Tomcat keystore (if this is first time, then it is the self-signed cert with alias 'tomcat')
keytool -delete -alias tomcat -keystore "C:\Program Files (x86)\Symantec\SymantecEndpoint Protection Manager\tomcat\etc\keystore.jks" -storepass <your keystore password>
Generate the key for your CSR
keytool -genkey -alias tomcat -keyalg RSA -keystore "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\etc\keystore.jks" -storepass <your keystore password>
Generate the CSR
It will ask you questions, the first question will be your first and last name, I would go with the name of your server or the CN (common name)
The other questions are your typical location, Dept., company questions.
keytool -certreq -alias tomcat -keyalg RSA -file c:\ssl_request\tomcat_req.csr -keystore "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\etc\keystore.jks" -storepass <your keystore password>
Submit the CSR you just created to the CA
Get the response and save it to file i.e. c:\ssl_request\tomcat_resp.crt
Once you have it saved, you can now import into your keystore
keytool -import -alias tomcat -keystore "C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\etc\keystore.jks" -trustcacerts -file c:\ssl_request\tomcat_resp.crt -storepass <your keystore password>
Start the two services
Symantec Endpoint Protection Manager
Symantec Endpoint Protection Manager Webserver
There is a .bat file called display-cert.bat, it is located in the tomcat\bin folder.
It will access the tomcat keystore and show you the certs it sees and will use for the Web console.
Now the problem I have run into and have yet to figure out, is that the certificate shows unknown...even though I imported the CA's Chain certificate into the store.
And the web console, I can log into, but not all the screens work.....
So I will have to figure that out.
Maybe because the cert is done w/ RSA512, and the keystore is not able to undertsand that....not sure.
*******************************************************************************************************************