This document explain how to re-generate the Endpoint Server certificate after it expires in 5 years.

DLP 15.x

1. Stop all DLP services on Enforce server in the correct order.

2. On Windows - Go to C:\ProgramData\Symantec \DataLossPrevention\EnforceServer\15.7\keystore directory

           Linux: /var/Symantec/DataLossPrevention/EnforceServer/15.7/keystore

3. Look for files with names monitorXX_keystore_vY.jks and monitorXX_truststore_vY.jks. XX is typically two digit number, and Y is typically the version (1, 2, and so on). For example, monitor34_keystore_v1.jks and monitor34_truststore_v1.jks, and so on. There may be several files of this type here, in pairs (keystore and truststore).

4. For the highest numbered files (XX is highest number), rename both keystore and truststore to monitorXX_keystore_v1.jks.old and monitorXX_truststore_v1.jks.old respectively. For example, if the directory has monitor3_keystore_v1.jks, monitor13_keystore_v1.jks, monitor34_keystore_v1.jks, monitor3_truststore_v1.jks, monitor13_truststore_v1.jks, monitor34_truststore_v1.jks, then we have to rename monitor34_*.jks files.

5. Start all DLP services on Enforce server in the correct order.
Verify new files with same number (34 in our example above) but incremented version have been generated: For example, monitor34_keystore_v2.jks and monitor34_truststore_v2.jks -- these are the new Endpoint server certificates, good for another 5 years. This can also be verified on Endpoint Server Certificate on the browser.