About server certificates

Certificates are the industry standard for authenticating and encrypting sensitive data. To prevent the reading of information as it passes through routers in the network, data should be encrypted.
To communicate with the clients, the management server uses a server certificate. For the management server to identify and authenticate itself with a server certificate, Symantec Endpoint Protection Manager encrypts the data by default. However, there are situations where you must disable encryption between the server and the client.
You may also want to back up the certificate as a safety precaution. If the management server is damaged or you forget the keystore password, you can easily retrieve the password.
The management server supports the following types of certificates:
  • JKS Keystore file (.jks) (default)
    A Java tool that is called keytool.exe generates the keystore file. The Java Cryptography Extension (.jceks) format requires a specific version of the Java Runtime Environment (JRE). The management server supports only a .jceks keystore file that is generated with the same version as the Java Development Kit on the management server.
    The keystore file must contain both a certificate and a private key. The keystore password must be the same as the key password. You can locate the password in the following file:
    SEPM_Install
    \Server Private Key Backup\recovery_
    timestamp
    .zip
    SEPM_Install
    by default is C:\Program Files\Symantec\
    Symantec Endpoint Protection Manager
    .
    For the 32-bit systems that run 12.1.x, it is C:\Program Files (x86)\Symantec\
    Symantec Endpoint Protection Manager
    .
    The password appears in the
    keystore.password=
    line.
  • PKCS12 keystore file (.pfx and .p12)
  • Certificate and private key file (.der and .pem format)
    Symantec supports unencrypted certificates and private keys in the .der or the .pem format. Pkcs8-encrypted private keys are not supported.