Adding an SSL certificate to trusted collection

Supported browsers warn about a server’s SSL certificate if it cannot verify the certificate.

By default, the McAfee ePO server uses a self-signed certificate for SSL communication with the browser, which the browser does not trust. A warning message displays every time you visit the McAfee ePO console.

To stop this warning message from appearing, do one of the following:

  • Add the McAfee ePO server certificate to the browser's collection of trusted certificates.
  • Add the certificate for every browser that interacts with McAfee ePO. If the browser certificate changes, add the server certificate again.
  • (Recommended) Replace the default McAfee ePO server certificate with a valid certificate signed by a certificate authority (CA) that the browser trusts. You only need to add the certificate once for web browsers in your environment.
  • If the server host name changes, replace the server certificate with a new trusted CA certificate.

For more information, see KB72511.

To replace the McAfee ePO server certificate, you must first obtain the certificate signed by a trusted CA. You must also obtain the certificate’s private key and its password (if it has one). Then you can use all these files to replace the server’s certificate.

The McAfee ePO server expects the server certificate to use these formats: PKCS7, PEM encoded, DER encoded, or PKCS12 file with extensions .cer, .crt, .p12, or .p7b.

The McAfee ePO browser expects the linked files to use PEM for private keys.

If the server certificate or private key is not in these formats, convert to one of the supported formats before replacing the default certificate.

If your organization requires a higher standard of encryption, replace the default SHA-256 certificate with one that uses SHA-384 or higher.