Digital certificates are the industry standard for authenticating and encrypting sensitive data. If you want to prevent the reading of information as it passes through routers in the network, you need to encrypt the data. Therefore you need a digital certificate that uses the HTTPS protocol.
As part of this secure procedure, the server identifies and authenticates itself with a server certificate. Symantec uses the HTTPS protocol for the communication between all the servers, clients, and optional Enforcers in a network.
You must also enable encryption on Symantec Endpoint Protection Manager so that the server identifies and authenticates itself with a server certificate. If you do not enable this option, then the installation of a digital certificate is not effective.
SIG files are not updated for existing groups and not published for new ones after updating Endpoint Protection Manager certificate
"Invalid private key file" or "Invalid keystore file" errors when updating Endpoint Protection Manager certificate.
Invalid certificate type, or invalid certificate signature algorithm
The management server supports the following certificate file formats:
- JKS keystore file (.jks) -- public certificate and private key stored in one file
A Java tool that is called keytool.exe generates the keystore file. Symantec supports only the Java Key Standard (JKS) format. The Java Cryptography Extension (JCEKS) format requires a specific version of the Java Runtime Environment (JRE). The management server supports only a JCEKS keystore file that is generated with the same version as the Java Development Kit (JDK) on the management server. The keystore must contain both a certificate and a private key. The keystore password must be the same as the key password.
- PKCS12 keystore file (.pfx and .p12) -- another format in which public certificate and private key are stored in one file
- Public certificate and private key in seperate files (DER or PEM format)
Symantec supports unencrypted (public) certificates and private keys in the DER or the PEM format. PKCS8-encrypted private key files are not supported.
As of SEP 12.1 the Manager additionaly requires that its certificates use an RSA-based digital signature algorithm. Earlier versions of SEPM did not have this restriction, and an upgraded SEPM will continue to use whatever certificate it was given, but if there is a disaster recovery with a cleanly installed SEP 12.1 Manager the certificate wizard will not allow re-importing the old certificate.
The RSA-based algorithm and the file formats above are the only SEP requirements. Other choices are generally up to the customer and depend on the cryptographic strength desired. For example, MD2/MD5/SHA-1/SHA-2* are different strengths of cryptographic algorithms, and all are supported by SEP as long as they are used with RSA. *SHA-2 is a family of algorithms that includes SHA-224, SHA-256, SHA-384, and SHA-512.