ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

How to generate and add a new Detection Server certificates using SSLkeytool


Article ID: 160736


Updated On:


Data Loss Prevention


The document explains how to generate and add new Detection Server certificates using SSLkeytool.


NOTE: Default paths for DLP 15.5 or greater:


    • <InstallDrive>\Program Files\Symantec\DataLossPrevention\EnforceServer\15.5\Protect\bin\sslkeytool.exe
    • <InstallDrive>\ProgramData\Symantec\DataLossPrevention\EnforceServer\15.5\keystore

Detection Server:

    • <InstallDrive>\ProgramData\Symantec\DataLossPrevention\DetectionServer\15.5\keystore

NOTE: Default paths for DLP 15.1:


    • <InstallDrive>\Program Files\Symantec\Data Loss Prevention\EnforceServer\15.1\Protect\bin\sslkeytool.exe
    • <InstallDrive>\ProgramData\Symantec\Data Loss Prevention\EnforceServer\15.1\keystore

Detection Server:

    • <InstallDrive>\ProgramData\Symantec\Data Loss Prevention\DetectionServer\15.1\keystore

NOTE: Default paths for DLP 15.0:


    • <InstallDrive>\SymantecDLP\Protect\bin\sslkeytool.exe
    • <InstallDrive>\SymantecDLP\Protect\config\keystore

Detection Server:

    • <InstallDrive>\SymantecDLP\Protect\config\keystore

Generate new Detection Server certificates - examples here using 15.0 install paths:

  1. Log on to the Enforce Server computer using the "protect" user account that you created during Symantec Data Loss Prevention installation.
    • (If you are not able to login as the protect user and get the following error, then perform the steps given in the link Remote desktop connection "The local policy of this system does not permit you to logon interactively")
  2. From a command window: go to the <InstallDir\Protect\bin> directory where the sslkeytool utility is stored.
  3. Create a directory in which you will store the new detection server certificate files. For example: mkdir new_certificates
  4. Run the SSLkeytool using the following command
sslkeytool.exe -genkey -dir=C:\SymantecDLP\Protect\bin\new_certificates

Now at this time there will be 2 new certificates created in the \Protect\bin\new_certificates directory - One for the Enforce and the other one for the detection server eg:

  •  enforce.Thu_Jul_21_18_15_24_GMT+05_30_2017.sslKeyStore
  •  monitor.Thu_Jul_21_18_15_24_GMT+05_30_2017.sslKeyStore


5. Copy each new certificate file to the <InstallDir\Protect\keystore> directory on the appropriate server.

6. Delete or secure any additional copies of the certificate files to prevent unauthorized access to the generated keys.

7. Restart the DetectionServer (formerly Vontu Monitor) service on each Detection Server to use the new certificate file.

8. Restart the Symantec DLP Services on Enforce to start using the new key