Hi,

I am receving error " The security certificate presented by this website was issued for a different website's address" when accessing SEPM console through remote console link https://something.com:444/console/apps/sepm  :

I assume that this error is due to mismatched remote computer name and server DNS name in current certificate.

I did located few articles regarding more less similar subject :

http://www.symantec.com/business/support/index?page=content&id=HOWTO26914&actp=search&viewlocale=en_US&searchid=1301579026508

http://www.symantec.com/business/support/index?page=content&id=TECH123518&actp=search&viewlocale=en_US&searchid=1301579026508

but my concern is that I might break managed client server communications following these instructions and I would really like to avoid any complications and keep things simple if possible.Our SEPM implementation uses custom HTTPS port defined in SEPM mangement server configuration settings and after further investigation for any certificates and port settings in IIS admin console I realized that I am unable to find anything regarding our custom HTTPS port probably because those settings are replicated from SEPM to Tomcat Web server configuration of SEPM.

Is there a way to fix our HTTPS certificate issues by modifying/updating/re-creating current HTTPS certificate and without interupting current client communication and rest of SEPM?

Thanks

IIS certificate ? the one u referred is for communication between SEPM and client..

Configuring Endpoint Protection Manager (SEPM) for SSL on Windows 2008

http://www.symantec.com/business/support/index?page=content&id=TECH134468&key=55357&actp=LIST

Hi,

I am not 100% sure which certificate is being utilized when accessing SEPM console remotely through HTTPS from external IP but I was reffering to that certificate.

Will that be the same certificate used for clients to server communication?

Custom SSL port is already defined through management server configuration and that is working fine but current certificate is giving issues when accessing SEPM using https://something.com:444/console/apps/sepm .

The SEPM operates using two web servers.  The internal tomcat server is used for management, and IIS is used for client communications and reporting.

The articles you posted are based around client communications, and will not affect the certificate error you receive when accessing the SEPM via the web console (management).

The certificate attached to the web console is a self-signed cert automatically generated during install and is assigned to the hostname of the SEPM, so the easiest way of getting rid of the error is to web-browse to the SEPM by hostname (not fqdn), and download/import/trust the cert.

Is there any way of re-creating or modifying already installed self signed certificate without affecting SEPM?

I would more prefer getting rid of error by replacing old certificate as I am soon expecting to have significant number of users (customers) connecting to web console.

SMLatCST, connecting to only the hostname over the internet will not be possible. His external customers will need the FQDN.

Sorry, don't have an answer for the certificate question.

Hi Ian,

I do have external IP and FQDN assigned for SEPM remote console and that is working 100% but my headache is certificate...

Thanks for trying. 

What  if you try to access  using https://sepm computer fqdn: 9090?

That does not make any difference as my issue lies in mismatched hostname on current SEPM certificate not in HTTPS port settings.

Yes you are right, there are no articles related specifically to SEPM self signed certificate.

I will be allowing external customers to manage their own reports and that is why I want to fix this issue before we proceed to that phase.

I am also not to keen on experimenting with reverse proxy or adding entries to host file and before I log a case with Symantec I decided to try something else I have in mind.

Not sure how much fun it is going to be but I will post end results once everything is completed.

As your intention is to allow your customers access to the reporting functions, you may also want to ensure this bit is using https (reporting uses http by default.)

The below articles provide information on enabling https on the IIS side of your SEPM:

Thanks so much for links, they might come handy

I'll let you all know how it went.

Any update available?

Does this now work? How did you get it working?

Hi Ian,

I finally got it working today but using completely custom solution.

I tried many things in last few days and not even one was solution I was looking for so I decided to try to avoid Tomcat and self signed certificate portion of SEP by jumping straight to reporting.

What I did is that I configured HTTPS port in IIS and bought new SSL certificate and specified all IIS and user data settings in our custom developed interface specially dedicated to our clients reports. This interface has its own home page eliminating need for SEP dashboard login screen which uses Tomcat and it can access reports directly from IIS.

Not the easiest solution but it works flawlessly.