Respond to an Endpoint Protection Manager certificate compromise
Last Updated August 27, 2018
The private key for your Symantec Endpoint Protection Manager (SEPM) certificate may have been compromised and you need the best practice to secure your environment.
To maintain the integrity of your Public Key Infrastructure (PKI) you must assume any suspected compromise of your manager's private key is legitimate. Steps must be taken to replace the certificate on compromised managers as soon as possible.
Generating a new default self-signed certificate
If your manager is configured to use the default self-signed certificate, you will need to generate a new certificate, with a new public/private key pair.
Open a command prompt window and change directories to \Symantec Endpoint Protection Manager\jre\bin.
Enter the following command:
keytool -genkey -keyalg RSA -sigalg SHA256withRSA -alias tomcat -keystore keystore.jks -storepass <your password> -validity 3680 -keysize 2048
You will be prompted for the following:
first and last name (The Fully Qualified Domain Name (FQDN) or hostname of your manager computer)
organizational unit (default: ESG)
organization (default: Symantec Corporation)
City or Locality (default: Mountain View)
State or Province (default: CA)
country code (default: US)
At the prompt, confirm your answers are correct, type
yes and press the Enter key.
When prompted to "Enter key password for <tomcat>", press the Enter key to utilize the same keystore password you specified in the command-line above.
This command will output the public/private key pair and certificate as a Java keystore file called keystore.jks in the \Symantec Endpoint Protection Manager\jre\bin folder.
Note the name, location and keystore password for future reference.
Obtaining a new Certificate Authority (CA) signed certificate
If you updated your manager with a CA-signed certificate, you will need to contact the certificate issuer for assistance in doing both of the following: generating a new, uncompromised public/private key pair, and revoking the compromised certificate.