The installation of Enforce uses a self-signed certificate by default. Use the following guide to replace the default certificate with one signed by a certificate authority (CA).

The following steps assume the system environment variable for JAVA_HOME has been set and that you're working from the tomcat conf directory.

Prerequisites:

Linux and DLP 15.8/16.x

1. export JAVA_HOME=/opt/AdoptOpenJRE/jdk<version>-jre
2. export PATH=$PATH:$JAVA_HOME/bin
3. cd /opt/Symantec/DataLossPrevention/EnforceServer/<version>/Protect/tomcat/conf

Windows and DLP 15.8/16.x

1. set JAVA_HOME=C:\Program Files\Symantec\DataLossPrevention\EnforceServer\<version>\Protect\tomcat\conf
2. set PATH=%PATH%;%JAVA_HOME%\bin
3. cd C:\Program Files\Symantec\DataLossPrevention\EnforceServer\<version>\Protect\tomcat\conf

Overview of the request process

1. Create the Certificate Signing Request (CSR)
2. Submit the CSR to the CA
3. Import the signed certificate
4. Recycle the Manager service

Create the CSR

keytool -certreq -alias tomcat -keyalg RSA -dname "CN=server name,OU=Organizational Unit, O=Organization, L=City, ST=State, C=Country" -keystore .keystore -file yourCertificateRequest.csr 

Submit the CSR to the CA

Submit yourCertificateRequest.csr to the CA 
Download the signed certificate (including its certificate chain)

Import the signed certificate

keytool -importcert -alias tomcat -keystore .keystore -file yourSignedCert.p7b -trustcacerts

Restart the Manager service 

Linux: /opt/Symantec/DataLossPrevention/EnforceServer/Services/SymantecDLPManager.sh restart
Windows: sc restart SymantecDLPManager

Refer tp the KB 273794, link below, for information about using a script to automate the keytool commands.

Example Script to automate keytool commands

Also refer to the following Tech Docs:

Configuring Certificate Authentication for the Enforce Server Administration Console

Adding certificate authority (CA) certificates to the Tomcat trust store