Upload of an enrollment bundle for the first time in a new environment, and the error returned refers to a client certificate error that is different from the one given in DLP Cloud Service enrollment: error requesting client certificate from Symantec Managed PKI Service (broadcom.com).

The following detail will be shown in Enforce as Event Code 4201:

Code: 4201 
Summary: "Cloud Service enrollment: error requesting client certificate from Symantec Managed PKI Service"
Error: DLP-5000 - the trustAnchors parameter must be non-empty. This may be due to either an invalid enrollment bundle, or a misconfiguration in the connection between the Enforce server and a proxy. If you are not using a proxy, please request a new bundle.

The following may also be in the DetectionServerController log:

STATUS | wrapper  | 2019/09/09 07:06:22 | Launching a JVM...
INFO   | jvm 1    | 2019/09/09 07:06:23 | WrapperManager: Initializing...
INFO   | jvm 1    | 2019/09/09 07:06:24 | java.io.FileNotFoundException: C:\Program Files\AdoptOpenJRE\jdk8u262-b10-jre\lib\security\cacerts (The system cannot find the file specified)

Enforce server version 15.8+

In this case, the "trustAnchors" reference is to an inability of the Java services to authenticate the handshake. This was due to the default cacerts file being renamed to "cacerts.old".

Confirm the cacerts file is present, correctly named, and has required permissions for the DLP service user to access.

In 15.8 and above, the default location is in the AdoptOpenJRE directory. E.g.,

C:\Program Files\AdoptOpenJRE\jdk8u262-b10-jre\lib\security

The file should have no extension in Windows, of the Type "File", and is anywhere from 99-156 KB in size.