Endpoint Protection

 View Only

  • 1.  Installing Third-Party Certificate for SEPM 12.1

    Posted Dec 08, 2011 04:14 PM

    I am looking for guidance on removing the self-signed certificate used by SEPM 12.1 Web Console and installing a third party certificate from a trusted CA. I haven't found any info online for how to do this in 12.1. There are articles for 11.x when SEPM still used IIS, but nothing for 12.x. Are there procedures for doing this? Installing the self-signed certificate is not an option as this is not a security best practice. Thanks...



  • 2.  RE: Installing Third-Party Certificate for SEPM 12.1

    Posted Dec 09, 2011 12:30 AM

    You can use a third-party certificates from a trusted CA with SEPM 12.1. Please follow the below mentioned steps -

     

    1. Click Start --> Run: CMD<enter>
    Browse to the SEPM\apache\bin directory, the command should be:
    cd "\Program Files\Symantec Protection Center\apache\bin"<enter>
    Enter the following series of commands:
    openssl req -config ..\conf\ssl\openssl.cnf -new -out request.csr -keyout clientserver.pem
     
    NOTE: When asked what is the 'common name', enter the host name of the server. This will allow you to use the "Verify SSL" feature later on if needed.
    openssl rsa -in clientserver.pem -out ..\conf\ssl\clientserver.key
    openssl x509 -in request.csr -out ..\conf\ssl\clientserver.crt -req -signkey ..\conf\ssl\clientserver.key -days 365
     
    Open the sslForClients.conf file with is located at %SEPM%\apache\conf\ssl\sslForClients.conf.
    1. Open %SEPM%\apache\conf\ssl\httpd.conf.
    2. Look for the following line:
    #Include conf/ssl/sslForClients.conf
    Uncomment the line, by deleting # from line:
    #Include conf/ssl/sslForClients.conf
    So the line would look like:
    Include conf/ssl/sslForClients.conf
    Save the file.
    3. Open the sslForClients.conf file.
    Find the two following lines:
    SSLCertificateFile "conf/ssl/server.crt"
    SSLCertificateKeyFile conf/ssl/server.key
     
    Update them to show:
    SSLCertificateFile "conf/ssl/clientserver.crt"
    SSLCertificateKeyFile conf/ssl/clientserver.key
     
    Save and close the sslForClients.conf file.
    Restart Apache. You can either open the services menu and restart Symantec Protection Center Webserver, or you can type net stop/start semwebsrv at the command prompt.
    Now you can log into your SEPM server and create or modify a Management Server List using SSL. The default port SSL port for Apache is TCP port 443.


  • 3.  RE: Installing Third-Party Certificate for SEPM 12.1

    Trusted Advisor
    Posted Dec 09, 2011 08:43 AM

     

    Hello,

    Please check this Article for SEP 12.1:

    How to install the certificate for Symantec Protection Center or Endpoint Protection Manager in Internet Explorer

    http://www.symantec.com/docs/TECH123686

    Hope that helps!!



  • 4.  RE: Installing Third-Party Certificate for SEPM 12.1

    Posted Dec 12, 2011 10:49 AM
    Thanks....I will check this out. So this will allow us to open the Web Console and utilize the third party certificate? We do not want to use the self-signed certificate which is generating the cert error. I just wanted to make sure we were talking the same thing. I am not referencing using SSL for client/management server communication. I want the web server certificate to show as valid vice the certificate error when opening up the website URL. Is this what the above response will address? Thanks!


  • 5.  RE: Installing Third-Party Certificate for SEPM 12.1

    Posted Feb 09, 2012 05:07 AM

    I found two issues different from above that solved it for me
    IIS Folder Permissions on the EPP Web site was set to Basic only, adding Inntergrated permissions fixed the issue
    Also control panel ODBC, the username and password for the database where black, the default user name seems to be DBA and password is what you enter on install



  • 6.  RE: Installing Third-Party Certificate for SEPM 12.1

    Posted Apr 27, 2012 11:58 AM

    Maybe it is just me, but this seems to be the method to generate a third party certificate for clients, correct?  I do not think that is what tmauro23 was looking for.  I think he was looking for a method to generate a request and then install the third party certificate for the web management console.  This is also what I am looking for.  I would have thought Symantec would have had actual documentation for this, but I cannot find any.