- Follow the Broadcom article how to Use a signed certificate with Endpoint Protection Manager. I followed this article to generate CSR. https://knowledge.broadcom.com/external/article/176335/use-a-signed-certificate-with-endpoint-p.html. It works out well up to this point. You can use the .csr file to request signed certificate from the internal CA where you download .cer file.
openssl.exe req -config ..\conf\ssl\openssl.cnf -new -sha256 -key ..\conf\ssl\newserver.key -out ..\conf\ssl\newserver.csr
2. Update the server certificate on the management server without breaking communications with the client. https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/managing-the-client-server-connection-v26173180-d15e3300/Configuring-management-servers-and-the-server-client-connection/best-practices-for-updating-server-certificates-an-v57845489-d15e3587/update-the-server-certificate-on-the-management-se-v57256809-d15e4328.html
3. Updating or restoring a server certificate. https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/managing-the-client-server-connection-v26173180-d15e3300/Configuring-management-servers-and-the-server-client-connection/best-practices-for-updating-server-certificates-an-v57845489-d15e3587/updating-or-restoring-a-server-certificate-v7641581-d15e3981.html
Broadcom does not provide information as to how to package the certificate file (newserver.cer) with the key file (newserver.key) for import. SEPM will except the following certificate types for import: Jks keystore, PKCS12 keystore(.pfx or .p12) or Certificate and Private Key file.
Make sure CA signed newserver.cer file is copied into the same directory as our key (newserver.key)file.
We need to package the certificate file (newserver.cer) and the key file (newserver.key) into a PKCS12 (newserver.pfx) file that we can import into SEPM.
Use the following command, enter the key file password when prompted and then create a new export password when prompted. The export password will be used when we import the file into SEPM certificate upgrade.
opnessl pkcs12 -inkey ..\conf\ssl\newserver.key -in ..\conf\ssl\newserver.cer -export -out newserver.pfx.
Now, when you are given the option to update server certificate, choose PKCS12 keystore (.pfx or .p12), choose the newserver.pfx generated above and enter the password. You should be good to go.
I lost the client server communications. I exported communication settings and manually imported to each clients to re-established the communications.