Ensure that the SEPM's certificate can be verified by the SEP client. Certificate verification includes the following:
Verification and Error
The SEP client must connect to a hostname included as either a Common Name or Subject Alternative Name in the certificate. If the certificate was issued by a third party Certificate Authority, the certificate will not include an IP address.
The client will display: error (51) SSL: no alternative certificate subject name matches target host name
To work around this issue, modify the management server list so that the client connects to an address that is valid for the certificate.
The SEP client must trust the root certificate, as well as any intermediate certificate in the certificate path.
The client will display: error (60) SSL certificate problem: unable to get local issuer certificate
If the certificate being used by the SEPM has an intermediate certificate, you can make the following changes to the SEPM configuration to work around the issue:
Obtain a copy of the intermediate certificate.
Name the file chain.crt, and copy the file to: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl
Create a copy of C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\apache\conf\ssl\sslForClients.conf, and open the original file in a text editor.
Find the line that reads:
Under the line above, add the following line:
Save the sslForClients.conf file, and restart the Symantec Endpoint Protection Manager Webserver service.
You will need to make this configuration change on every SEPM that uses a certificate with an intermediate certificate in the certificate path.
You must save the chain.crt with base64 encoding. (ASCII text instead binary data.)
The SEPM does not natively support chained certificates. This configuration could be altered when upgrading.
Subscribing will provide email updates when this Article is updated. Login is required.