Replace LiveUpdate Administrator certificate
search cancel

Replace LiveUpdate Administrator certificate


Article ID: 161578


Updated On:


Endpoint Protection Endpoint Security Endpoint Security Complete


Replace or update the default Self-Signed or 3rd (Third) Party Certificate used by the LiveUpdate Administrator (LUA) server for HTTPS communications.


LiveUpdate Administrator


The LUA Tomcat server uses a Java keystore (JKS) to securely house its public and private key pair. This file is password protected with a proprietary password. You must create a new JKS file, and generate or obtain a new certificate to replace the LUA certificate. LUA supports both self-signed certificates and Certificate Authority (CA) signed certificates.

Obtain a new certificate

Most large organizations have specific Public Key Infrastructure (PKI) requirements. Work with the PKI experts in your organization to determine what type of certificate you require: a self-signed certificate, an internal CA-signed certificate, or a public CA-signed certificate. Generate or obtain a new certificate based on your organizational requirements. If you have no organizational PKI requirements, you can use the Java keytool program to generate a new self-signed certificate, or leave the default self-signed certificate in place.

Note: CA-signed certificate is required for content distribution over HTTPS port via LUA, applicable for the Windows SEP endpoints.


Generate a new JKS

  1. Use Java's keytool program to generate a key JKS file named server-cert.ssl.  Keytool is installed in the LiveUpdate Administrator folder structure, typically C:\Program Files (x86)\Symantec\LiveUpdate Administrator\jre\bin\keytool.
  2. Make note of the keystore password used when generating the JKS file.  

    Note: Avoid using the '&' character in your keystore password.  

note: For more information on the Java keytool, see Oracle's public documentation here:

Import the new certificate

  1. Import the new LUA certificate using the same program used to generate the new JKS file
  2. For CA-signed certificates signed by an untrusted intermediary CA that chains to a trusted root CA, import the intermediary CA certificate(s)

Replace server-cert.ssl

  1. Save a backup copy of the original server-cert.ssl file (C:\Program Files (x86)\Symantec\LIveUpate Administrator\server-cert.ssl by default)
  2. Replace the original server-cert.ssl with the newly generated JKS file created above

Encrypt the keystore password

  1. Open a command prompt as Administrator
  2. Change directories to the LUA WEB-INF library folder (C:\Program Files (x86)\Symantec\LiveUpdate Administrator\tomcat\webapps\lua\WEB-INF\lib by default)
  3. Run the following command:

    "C:\Program Files (x86)\Symantec\LiveUpdate Administrator\jre\bin\java.exe" -cp ssl-lua.jar;commons-codec-1.10.jar;"C:\Program Files (x86)\Symantec\LiveUpdate Administrator\tomcat\lib\tomcat-util.jar" <JKS Password>

  4. Copy the encrypted JKS password output by this command


  1. Open (C:\Program Files (x86)\Symantec\LiveUpdate Administrator\tomcat\conf\ by default) in a text editor
  2. Change the ks.password value to the new encrypted keystore password output in the previous steps
  3. Save the changes and restart the LUA Apache Tomcat service

Note: Customization of the LUA's default certificate is unsupported by Symantec support.