![]() ![]() Skip to the appropriate section depending on which type of Certificate Authority was chosen Open the Server Certificates section in Internet Information Services (IIS) on the server hosting the Symantec Endpoint Encryption Management ServerĪfter opening IIS, select your server in the left pane, and double-click Server Certificates in the center paneģ. When the certificate expires, the SEE clients will no longer communicate with the SEE Management Server.Ģ. It is handy to use a self-signed certificate for testing purposes only, but once you move to production, ensure the self-signed certificate is not used. WARNING: Using Self-Signed certificates is highly discouraged due to the loss of communication that occurs when the certificate expires and no option to renew. Having an Internal Microsoft Certificate Authority also works well as long as the signing certificate is trusted on an enterprise level by machines joined to the domain. Having a Trusted Certificate Authority is the best option to use as these are all internally trusted automatically. Internal Microsoft Certificate Authority.Certificate Authorities such as Digicert.Decide which kind of Certificate Authority (CA) will sign your certificate TIP: Read through the rest of this document for other general best practices.ġ. Next, export the public portion of this newly-signed certificate and you can then assign to the SEE Management Server. ![]() pfx file, you can then take this to your SEE Management Server, import to the certificate store. key file into a bundled certificate that can then be used. The certificate.pfx will be the result of combining the signed. The New-Server-Keypair.key file is the keypair you generated from the previous steps. The signed-CSR-from-CA.crt file is what you received back from the CA and is the signed request. Openssl pkcs12 -export -in signed-CSR-from-CA.crt -inkey New-Server-Keypair.key -out certificate.pfx In order to then bundle the signed CSR to your private key, run the following openssl command: cer format, which will include the CA signed portion along with the full chain. They will provide a fully signed certificate back in. The CSR-to-give-to-CA.crt file is only a public portion of the cert and this **is** what you provide to your Certificate Authority. Do **not** provide this to your Certificate Authority. The New-Server-Keypair.key contains the private key. Be sure to remember the passphrase and to keep it secure for later. This will prompt you for all the applicable fields for the certificate, including a passphrase. If you would like to use OpenSSL to create the CSR process, run the following command: openssl req -newkey rsa:2048 -keyout New-Server-Keypair.key -out CSR-to-give-to-CA.crt Section 1: Creating and Completing the CSR with OpenSSL This article will go over two sections, one for OpenSSL and the second for CSR via IIS. If the Root\Signing certificate is going to expire, either a new SEE Client should be re-deployed after the new certificates are assigned to the management server, or the "Server commands" are used prior to the certificates expiring. When the Signing certificate or Server certificate expires, the SEE client will stop communicating, so it is important to ensure these certificates are replaced prior to expiration. Because of this, it is very important to choose the proper certificate strategy as this is the certificate that will be used to communicate with the SEE Management Server. When the SEE client is built from the SEE Management Server, the Root\Signing certificate is embedded in the client. This article will include instructions for creating the files needed for this configuration. If HTTPS is chosen a CA Certificate and a Server Certificate will need to be configured. The Web Server Configuration page will allow you to choose from HTTP or HTTPS. The protocol used for communication can be configured using the SEEMS Configuration Manager. Skip to the bottom of this article for Troubleshooting The user interfaces and exact steps may differ slightly depending on the OS hosting the SEE Management Server, but the general steps are the same. NOTE: The same process can be used with previous versions of SEE as well. This article covers the basic process for creating an SSL Certificate suitable for use with Symantec Endpoint Encryption (SEE) version 11.x In order to secure these communications an SSL Certificate is needed. Symantec recommends using the HTTPS protocol to secure communications between the Symantec Endpoint Encryption Management Server and deployed SEE clients. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |