When importing the certificate as it was delivered by windows with an ext .p7b it is not allowed to import, but if the ext is .cer it does allow it.

However, this certificate does not work since after the installation the certificate remains that of the local host (unsigned).

Release : 15.8, 16.x

Component : DLP Enforce Server management console

In this case there were 2 issues:

The first error during the import of a signed, chained certificate (in .p7b format) had the following error:

Error: java.lang.Exception: Input not an X.509 certificate.

This can be due to the incorrect alias being supplied (i.e., the alias for the "tomcat" certificate needs to match the one created by the Certificate Signing Request).

But it can also occur if the default .keystore file created when DLP is installed is used to create the Certificate Signing Request (CSR) - because the original .keystore included with DLP only specifies a localhost as the Enforce Server: "Owner: CN=localhost, O=Symantec Corp., L=San Francisco, ST=CA, C=US" - if this detail is altered later the signed cert will not match the Private Key Entry in the keystore and it will (probably) be installed as if it were a new, unrelated certificate - instead of the (signed) reply as required.

If a signed certificate is required for browser certification of Enforce Server logon, a new keystore and key pair needs to be generated, which includes the correct DName for the server as well as a unique alias for the keystore.

On import of the signed certificate, the same alias must be used for the newly signed cert, otherwise it will not be installed correctly. The correct response when importing with keytool is this:

Certificate reply was installed in the keystore.

Instructions for generating key pair, CSRs and importing certificate to the Tomcat keystore are in the Install Guides for DLP.

They are also given in this KB: Create, sign, and import an SSL certificate signed by a Trusted Certificate Authority for the Enforce Console Certificate (broadcom.com)