How to create, sign, and import an SSL certificate signed by a Trusted Certificate Authority

By November 20, 2020Symantec DLP Enforce
You are here:
< Back

Keytool.exe location

  • Windows:
    • 14.x and 15.0: <DRIVE>:\SymantecDLP\jre\bin
    • 15.1: <DRIVE>:\Program Files\Symantec\Data Loss Prevention\Server JRE\1.8.0_162\bin\
    • 15.5: <DRIVE>:\Program Files\Symantec\DataLossPrevention\ServerJRE\1.8.0_181​\bin\
  • Linux:
    • 14.x and 15.0: /opt/SymantecDLP/jre/bin/
    • 15.1: ​/opt/Symantec/DataLossPrevention/Enforce Server/15.1/jre/bin/
    • 15.5: /opt/Symantec/DataLossPrevention/ServerJRE/1.8.0_181/bin

Note: On Linux, execute ./keytool

.keystore location

  • Windows:
    • 14.x and 15.0: <DRIVE>:​\SymantecDLP\Protect\tomcat\conf\
    • 15.1: <DRIVE>:\Program Files\Symantec\Data Loss Prevention\Enforce Server\15.1\Protect\tomcat\conf\
    • 15.5: <DRIVE>:\Program Files\Symantec\DataLossPrevention\EnforceServer\15.5\Protect\tomcat\conf\
  • Linux:
    • 14.x and 15.0: /opt/SymantecDLP/Protect/tomcat/conf
    • 15.1: ​/opt/Symantec/DataLossPrevention/Enforce Server/Protect/tomcat/conf
    • 15.5: /opt/Symantec/DataLossPrevention/EnforceServer/Protect/tomcat/conf​


  • In Linux, all commands must be executed as root.
  • In Windows, all commands need to be executed via CLI with Admin access.
  • Command to see the hidden “.keystore” file: ls -la
  • As per the DLP Admin Guide (p. 151 in 15.7 version), the Tomcat store uses a X.509 certificate must be provided in Distinguished Encoding Rules (DER) format – which is a .cer file.
  • The instructions below involve chained certs, when the Root or Intermediate CAs are required – i.e., “the Signed” certificate. The format of using a .p7b file therefore applies in that instance – otherwise, the cert is unsigned, and one would simply import the .cer file.


  1. Back up existing keystore.
    • Windows command:  copy <14.x/15.0/15.1/15.5 file path>\.keystore <14.x/15.0/15.1/15.5 file path>\keystore.bkup
      • 14.x and 15.0: C:\Protect\tomcat\conf
      • 15.1: ​C:\Program Files\Symantec\Data Loss Prevention\Enforce Server\15.1\Protect\tomcat\conf
      • 15.5: C:\Program Files\Symantec\DataLossPrevention\EnforceServer\15.5\Protect\tomcat\conf
    • Linux command:  cp  <14.x\15.0\15.1\15.5 file path>/.keystore <14.x\15.0\15.1\15.5 file path>/keystore.bkup
      • 14.x and 15.0: /opt/SymantecDLP/protect/tomcat/conf
      • 15.1: /opt/Symantec/DataLossPrevention/Enforce Server/15.1/Protect/tomcat/conf​
      • 15.5: /opt/Symantec/DataLossPrevention/EnforceServer/15.5/Protect/tomcat/conf​
  2. Generate a new keystore file with the required parameters, and register the certificate.
    • Windows command: <14.x\15.0\15.1\15.5 file path>\keytool -genkeypair -alias tomcat -keyalg RSA -keysize 2048 -keystore \SymantecDLP\jre\bin\.keystore -validity 365 -storepass protect -dname "CN=SERVERNAME, OU=DLP, O=SYMANTEC, L=Cupertino, ST=California, C=US"​
      • 14.x and 15.0 keytool path: C:\SymantecDLP\jre\bin
      • 15.1 keytool path: C:\Program Files\Symantec\Data Loss Prevention\Enforce Server\15.1\jre\bin
      • 15.5 keytool path: C:\Program Files\Symantec\DataLossPrevention\ServerJRE\1.8.0_181\bin​
      • 14.x and 15.0 .keystore path
  3. Generate a CSR file
    • \SymantecDLP\jre\bin\keytool -certreq -alias tomcat -keyalg RSA -keystore .keystore -storepass protect -file "VontuEnforce.csr"
  4. Send VontuEnforce.csr to CA admin, so they can generate a chained cert file in the current format.
  5. Copy the VontuEnforce.p7b chained cert file to \SymantecDLP\jre\bin\.
  6. Import the chained certificate.
    • \SymantecDLP\jre\bin\keytool -import -alias tomcat -keystore \SymantecDLP\jre\bin\.keystore -trustcacerts -file \SymantecDLP\jre\bin\VontuEnforce.p7b
    • Enter the keystore password.
      • Top-level certificate in reply:
        Owner: XXXXXX
        Issuer: XXXXXX
        Serial number: XXXXXX
        Valid from: XXXXXX until: XXXXXX
        Certificate fingerprints:
        MD5:  **Deleted**
        SHA1: **Deleted**
        … is not trusted. Install reply anyway? [no]:
    • Type Y or YES and press ENTER.
    • Certificate reply was installed in keystore.
  7. Copy the .keystore file from the source to its final destination.
    • copy \SymantecDLP\jre\bin\.keystore \Protect\tomcat\conf\.keystore​​
  8. Restart the Vontu Manager (14.x and 15.0) or Symantec DLP Manager (15.1 and 15.5) service.


If you change the keystore password from the default, ‘protect’ when generating a new keystore, you must update the password values in the following two files:

    1. <InstallPath>\Symantec\DataLossPrevention\EnforceServer\15.5\Protect\tomcat\conf\server.xml
      •         <Certificate certificateKeystoreFile=”${catalina.base}/conf/.keystore” certificateKeystorePassword=”protect”/>
    2. <InstallPath>\Symantec\DataLossPrevention\EnforceServer\15.5\Protect\config\
      • # keystore password
        com.vontu.manager.tomcat.keystore.password = protect
Was this article helpful?
0 out Of 5 Stars
5 Stars 0%
4 Stars 0%
3 Stars 0%
2 Stars 0%
1 Stars 0%
How can we improve this article?
Please submit the reason for your vote so that we can improve the article.