A Symantec Endpoint Protection Manager (SEPM) website secured with Extended Validation (EV) certificate does not display green address bar.
An EV certificate is a certificate used for HTTPS websites and software that proves the legal entity controlling the web site or software package. Obtaining an EV certificate requires verification of the requesting entity's identity by a certificate authority (CA). A site using a certificate without EV is still secure, but the URL and security status in the browser address bar (padlock icon) willl be displayed plainly, in gray or black. Clicking on the padlock will display a question mark, i.e. in Internet Explorer (IE). A site with an EV certificate should display green status, with company's name beside the padlock and a green checkmark when clicked in IE. See other browser examples at https://www.digicert.com/ssl-support/code-to-enable-green-bar.htm
Symantec Endpoint Protection Manager
Various web browsers
No errors; certificate trust is otherwise OK.
If a browser is not displaying a green EV address for a secure SEPM web site (or any other secure site) and the site's certificate is OK otherwise, this is normally an issue with the web browser or the machine where the browser is running. This is not a problem with the SEPM itself or the hosting site.
Verify that the SEPM is using an EV certificate. A site certificate from an EV issuer should have a "Certificate Policies" extension with an Object Identifier (OID) that can be linked to the root CA. It may be that the site certificate is actually not from such an issuer and has no such Certificate Policies extension or is missing the proper OID. See Wikipedia's article for examples of EV OIDs.
Otherwise check the web browser and the browser's trusted certificate store. Try different web browsers; some browsers do not support EV. Compatible web browsers perform EV by comparing a site's certificate against EV data in the browser's trusted root CA certificate store. These OIDs are not a standard property of root CA certificates and are hardcoded in most browsers and cannot be viewed or changed. Internet Explorer is an exception, referencing an "Extended Validation" property which is Windows-specific and can be viewed (and edited) in the Windows certificate store. For example, when viewing the "DigiCert High Assurance EV Root CA" certificate details in the Window store there should be an "Extended Validation" property with OID 2.16.840.1.114412.2.1. You may also click "Edit Properties" and view/add/remove OIDs under an "Extended Validation" tab. It may be that a CA certificate has been re-imported into a machine's store and the EV property has been dropped and can be added again manually to restore green EV status in IE for that machine when visiting sites using certificates issued from that CA.
Subscribing will provide email updates when this Article is updated. Login is required.