Hi everybody.
I'd like to know if Symantec Endpoint Protection Manager 12.1.x has some requirements about the customized certificate that it accepts in Admin -> Servers -> [click on specific server] -> Manage Server Certificate -> Update the server certificate, especially those for pkcs12 stores.
In particular:
- the certificate must be a CA?
- is there a required hash (or a minimum and maximum)?
- is there a required string mask setting? (as those in openssl string_mask option, ie default, utf8only, etc)
- is there a required length for keys (1024, 2048...)?
Such questions arose from the fact that in the past two weeks I tried countless times to update the certificates without success. The syntax I used to build the pkcs12 was the following:
openssl pkcs12 -export -in xyz.crt -inkey xyz.key -certfile hk.pem -name "Symantec Endpoint Protection" -out symantecserver.p12
Each time then, after trying the upgrade, the console rejected it with the following error: "request contents invalid" (as in attachment). I tried everything (changing hash, string mask, key length, etc) except the solution that I finally found: do not include the parent certificate into the package! (however, I'd like to know if this is the right move to solve the issue...)
with the following command, everything was fine:
openssl pkcs12 -export -in xyz.crt -inkey xyz.key -name "Symantec Endpoint Protection" -out symantecserver.p12
However, my questions remain valid, above all the first one: to work properly (ie to encrypt properly the communications between SEPM and SEP clients) the certificate must be a CA? Such question founds on the doubt that maybe, being a CA, SEPM could create a specific certificate for each client.
As a last question, is there a thorough way to debug SEPM if certificates are rejected?
Thanks to everybody,
Diego