Update the server certificate on the management server without breaking communications with the client

Symantec Endpoint Protection Manager
uses a certificate to authenticate communications between it and the
Symantec Endpoint Protection
clients. The certificate also digitally signs the policy files and installation packages that the client downloads from it. The clients store a cached copy of the certificate in the management server list. If the certificate is corrupted or invalid, the clients cannot communicate with the server. If you disable secure communications, then the clients can still communicate with the server, but do not authenticate communications from the management server.
You disable secure communications to update the certificate in the following situations:
  • A site with a single
    Symantec Endpoint Protection Manager
  • A site with more than one
    Symantec Endpoint Protection Manager
    , if you cannot enable failover or load balancing
If the certificate is corrupted but otherwise still valid, you can perform disaster recovery as a best practice.
After you update the certificate and the clients check in and receive it, enable secure communications again.
When you update the certificate on a site with multiple management servers and use failover or load balancing, the certificate updates on the management server list. During the process of failover or load balancing, the client receives the updated management server list and the new certificate.
Steps 1 through 5 apply only to version 14 and later. If you use 12.x, start with step 6.
  1. To update the server certificate on a single management server site without breaking communications with the client, in the console, click
    Policies > Policy Components > Management Server Lists
    .
  2. Under
    Tasks
    , click
    Copy the List
    , and then click
    Paste List
    .
  3. Double-click the copy of the list to edit it, and then make the following changes:
    • Click
      Use HTTP protocol
      .
    • For each server address under
      Management Servers
      , click
      Edit
      , and then click
      Customize HTTP port
      .
      Leave it at the default of 8014. If you use a custom port, use it here.
  4. Click
    OK
    , and then click
    OK
    again.
  5. Right-click the copy of the list, and then click
    Assign
    .
  6. On the console, click
    Clients > Policies > General
    .
  7. On the
    Security Settings
    tab, uncheck
    Enable secure communications between the management server and clients by using digital certificates for authentication
    , and then click
    OK
    .
  8. Wait at least three heartbeat cycles after making this change on all groups before you move to step 9.
    Make sure that you also configure this setting for the groups that do not inherit from a parent group.
  9. Update the server certificate.
  10. Click
    OK
    .
    To reenable the original settings, wait at least three heartbeat cycles, recheck
    Enable secure communications between the management server and clients by using digital certificates for authentication
    , and then reassign the original management server list back to your groups.
  11. To update the server certificate on a multi-management server site without breaking communications with the client, in the console, ensure that your clients are configured to load balance or failover to at least one other
    Symantec Endpoint Protection Manager
    .
    If you cannot enable load balancing or failover, use the single management server site procedure to first disable then reenable secure communications.
    Due to a change in the communication module, client versions 14.2.x cannot use this method to update the server certificate. To avoid breaking communication with these clients, use the single management server site procedure for these client versions, even for multi-management server sites.
  12. Update the server certificate on
    Symantec Endpoint Protection Manager
    .
  13. Wait at least three heartbeat cycles, and then update the server certificate on the next
    Symantec Endpoint Protection Manager
    on the site.
  14. Repeat steps 2 and 3 until each
    Symantec Endpoint Protection Manager
    on the site has the new certificate.
    Users who are out of the office or on leave may not receive these updates on their device because it is offline. Many institutions run the failover method for 30 days or more to catch as many out-of-office clients as possible. You may want to leave one
    Symantec Endpoint Protection Manager
    running for 90 days with the old certificate to ensure that those users are not orphaned.