How best to customize the certificates and encryption methods used by the Symantec Endpoint Protection Manager (SEPM) to secure client-server communications.

Managing Certificates

• To ensure clients don't lose connectivity to their managers when replacing SEPM certificates, follow the process outlined in Update the server certificate on Endpoint Protection Manager without breaking communication.
• Always use the Manage Server Certificate wizard in the SEPM console to update, or generate a new server certificate. Using the wizard updates settings and files that may be missed by manual methods.

Certificate Keys

Follow any organizational or governmental requirements for key usage, and ensure you use a minimum 2048-bit SHA256RSA key. The larger the key used, the more difficult it is to brute force, but larger keys take significantly longer to generate, and require more CPU time.

The SEPM uses a 2048-bit SHA256RSA keypair by default and supports keys up to 8192 bits.

Note: current versions of SEPM 14 require a manual change to support keys larger than 2048 bits. See Failed to Connect to Server error when logging into management console for more information.

Certificate Authority Signing

When replacing the built in self-signed certificate on your manager with a Certificate Authority (CA) signed certificate, work with your Certificate Authority (CA) to generate a new, CA signed certificate with your organization's information instead of exporting a Certificate Signing Request (CSR) from the default self-signed certificate. Be sure you are aware of any organizational or compliancy requirements governing the use of certificates in your environment before generating a CA signed certificate. Some common questions you should be able to answer before generating your certificate(s) are:

1. Are there any specific requirements regarding private key length?
2. Are there any specific requirements regarding signature algorithms?
3. Are there any specific requirements regarding signature key algorithms?
4. Can the Common Name (CN) field contain wildcards (*)?
5. Can certificates contain IP addresses in the CN field, or as Subject Alternative Name (SAN) entries?
6. Can certificates be signed by intermediary Certificate Authorities (CAs)?
7. Are certificates required to be cross-signed?