Best practices for updating server certificates and maintaining the client-server connection
You may need to update the security certificate in the following situations:
- You restore a previous security certificate that the clients already use.
- You want to use a different security certificate than the default certificate (.JKS).
When clients use secure communication with the server, the server certificate is exchanged between the server and the clients. This exchange establishes a trust relationship between the server and clients. When the certificate changes on the server, the trust relationship is broken and clients no longer can communicate. This problem is called orphaning clients.
Use this process to update either one management server or multiple management servers at the same time.
The following table lists the steps to update the certificate without orphaning the clients that the server manages.
Step 1: Break the replication relationship*
If the management server you want to update replicates with other management servers, break the replication relationship. See:
Step 2: Disable server certificate verification
Disable secure communications between the server and the clients. When you disable the verification, the clients stay connected while the server updates the server certificate. See:
Step 3: Wait for all clients to receive the updated policy
The process of deploying the updated policy may take a week or longer, depending on the following factors:
For more information, see:
Step 4: Update the server certificate
Update the server certificate. If you also plan to upgrade the management server, upgrade the certificate first. See:
You must restart the following services to use the new certificate:
Step 5: Enable server certificate verification again
Enable secure communications between the server and the clients again. See:
Step 6: Wait for all clients to receive the updated policy
The client computers must receive the policy changes from the previous step.
Step 7: Restore the replication relationship*
If the management server you updated replicates with other management servers, restore the replication relationship. See:
* You only need to perform these steps if you use replication in your
Symantec Endpoint Protection Managerenvironment.