How to generate CSR, so CA can generate a certificate.

NOTE: these instructions are provided for the customer's convenience. It is not necessary to use the keytool command that comes with LUA, a certificate can be generated independently. We do not provide walk-throughs or assistance in generating certificates. If not using the self-signed certificate, it is customer's responsibility to work with a Certificate Authority and obtain a password-protected *.jks keystore file with a properly configured and signed certificate. We can then assist with replacing LUA certificate with that file, as described in Replace LiveUpdate Administrator certificate.

1. Open Command Prompt with elevated permission.
    
2. Go to \Program Files (x86)\Symantec\LiveUpdate Administrator\jre\bin
    
3. Run the following command:
   

   keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore lua.jks -validity <days>

   Provide a password. Note: Avoid using the '&' character in your keystore password.
   
   For "first and last name" provide the FQDN of your server. The remaining fields can be blank.
   
   After creation, you can stop here and use this self-signed lua.jks to replace LUA certificate according to Replace LiveUpdate Administrator certificate.
   
   If you wish to sign the certificate in the jks file, proceed.
   
   
4. Generate a Certificate Signing Request (CSR):
   

   keytool -certreq -alias server -keyalg RSA -file lua.csr -keystore lua.jks

   You should see the lua.csr in the same folder. Submit this to your Certificate Authority (CA) for signing.
   
   Your CA's reply should include the signed public certificate (e.g. server.crt) which you can import into your keystore:
   

   keytool -import -keystore lua.jks -storepass <password> -file server.crt -alias server

Replace LiveUpdate Administrator Certificate