Endpoint Protection

Hey there!

As the topic says, updating the SEPM certificate AFTER updating it with this guide:

http://www.symantec.com/connect/articles/sep121-creating-and-using-3rd-party-ca-signed-cert-client-communications

Results in an error [0x840d0000] but is still succesfull.

Any idea on that error code? I havent found anything yet.

What version of SEPM is for? Where did this error show up? On the Admin >> Servers section?

Yeah, what Brian said ;-D

I don't recall encountering this error when I wrote the article, so any more info you can provide would be useful.  In addition to the info requested by Brian, could you also advise what kind of cert you're using, and have you tried restricting it's use to only client comminications (i.e. not applying it to the Reporting part of apache)?

That thrown by WMI, check the windows event log

you might find something, if there is nothing  then it might be cosmetic issue.Not to worry :)

Its in SEPM 12.1.5

I can easily reproduce the error, its a sure win every time :)

Im using a CA signed certificate, signed by our own PKI.

Its the same certificate im using both places, as for the apache and the SEPM Application.

Theres no entry in the Windows Event Log, as its inside the SEPM Application the error occurs.

Cant see any log entry in the SEPM logs anywhere..

And it still is succesfull...

Secondly, anyone who can explain me what the difference is in updating the certificate from the SEPM Console, and updating the certificate in the apache\conf\ssl folder (Having to update the certificate 2 places) compared to updating SEPM Console with a self signed certificate (Which replaces the one in the apache folder aswell) ??

The first option also results in 2 different certificate pop-ups which i have to acknowledge

Second option only results in 1..

Best regards

Error code : 0x840d0000 stands for Invalid certificate format.

its in a *.crt format, well its saved as a *.crt format when i retrieved it from our CA after it got issued.

But if its invalid, then why does it accept it anyways? :)
 

Essentially, the certs are linked but can be different.

The certs used by apache (and changed in my article) are merely copies of the cert generated by the SEPM during installation.  As copies, it's possible to change these with minimal/manageable impact (as per my article).

The original cert, used by the tomcat component and managed by the "Manage Server Certificate" wizard, is more ingrained and affects various aspects of the SEPM (from signing content to encrypting some bits in the DB).  When you update this, the SEPM automatically updates the copies used by apache.

Without access to the cert itself, we can't really advise why the SEPM is returning an error.  Perhaps you could try loading this cert into IIS to test, or try creating a brand-spanking new one (as this is signed by your internal CA anyway)?

Thank you for the feedback people :)

I "Fixed" the certificate error issue, by saving the CA Signed certificate as a *.DER format.

The SEPM applicaiton accepted the certificate without any issues.