You are no longer able to log into the management console after updating the Symantec Endpoint Protection Manager (SEPM) certificate.
scm-server0/1.log shows:
2016-09-20 15:31:23.367 THREAD 120 SEVERE: in: com.sygate.scm.server.task.SecurityAlertNotifyTask
javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair
...
Caused by: java.security.InvalidAlgorithmParameterException: Prime size must be multiple of 64, and can only range from 512 to 2048 (inclusive)...
This problem happens after importing a SEPM certificate with a keypair larger than 2048 bits. The SEPM Java/Web console both attempt to connect to the SEPM Apache server over HTTPS, and fail to do so because the Apache server is using Diffie-Hellman keys that are equivalent in key length to the SEPM certificate. The Java 8.0 implementation used by the SEPM Tomcat server isn't able to use DH keys larger than 2048-bit.
This issue is resolved in Symantec Endpoint Protection (SEP) 14 RU1 For more information on upgrading, please see Upgrade or migrate to Endpoint Protection 14.
As a workaround, configure the SEPM Apache server to use a custom Diffie-Hellman parameters file that contains only 2048-bit DH keys.
openssl dhparam -out dhparam.pem 2048
This workaround process will need to be repeated for each SEP Manager.