Best practices for updating server certificates and maintaining the client-server connection

You may need to update the security certificate in the following situations:
  • You restore a previous security certificate that the clients already use.
  • You want to use a different security certificate than the default certificate (.JKS).
When clients use secure communication with the server, the server certificate is exchanged between the server and the clients. This exchange establishes a trust relationship between the server and clients. When the certificate changes on the server, the trust relationship is broken and clients no longer can communicate. This problem is called orphaning clients.
Use this process to update either one management server or multiple management servers at the same time.
Steps to update server certificates lists the steps to update the certificate without orphaning the clients that the server manages.
Steps to update server certificates
Step
Description
Step 1: Break the replication relationship*
If the management server you want to update replicates with other management servers, break the replication relationship.
Step 2: Disable server certificate verification
Disable secure communications between the server and the clients. When you disable the verification, the clients stay connected while the server updates the server certificate.
Step 3: Wait for all clients to receive the updated policy
The process of deploying the updated policy may take a week or longer, depending on the following factors:
  • The number of clients that connect to the management server. Large installations may take several days to complete the process because the managed computers must be online to receive the new policy.
  • Some users may be on vacation with their computers offline.
Step 4: Update the server certificate
Update the server certificate. If you also plan to upgrade the management server, upgrade the certificate first.
You must restart the following services to use the new certificate:
  • The
    Symantec Endpoint Protection Manager
    service
  • The
    Symantec Endpoint Protection Manager
    Webserver service
  • The
    Symantec Endpoint Protection Manager
    API service
    (As of 14)
Step 5: Enable server certificate verification again
Enable secure communications between the server and the clients again.
Step 6: Wait for all clients to receive the updated policy
The client computers must receive the policy changes from the previous step.
Step 7: Restore the replication relationship*
If the management server you updated replicates with other management servers, restore the replication relationship.
* You only need to perform these steps if you use replication in your
Symantec Endpoint Protection Manager
environment.