You need to import a created certificate from a Trusted Certificate Authority into the Enforce Server console.

There are 2 methods to update the keystore. 

Method 1: Use a CSR and have your CA sign it, then import it into the a keystore for use with DLP. That process is outlined in the following KB:

Create, sign, and import an SSL certificate signed by a Trusted Certificate Authority for the Enforce Server certificate (broadcom.com)

Method 2: Get a new certificate pair right from your CA in a .pfx keystore format and then import it into the a keystore for use with DLP

1. Get the new certificate in a pfx format from your CA.
   1. If you are going to change the keystore type, then the private key password of the cert needs to be the current keystore password (default "protect")
   2. If you plan to export/import from the pfx to the .keystore, then any password will be fine.
2. Create a new keystore with the certificates
   1. First create a directory called NEW under root drive as we will place new keystore and all files in this directory.
   2. Run the following command:
      keytool -importkeystore -deststorepass protect -destkeypass protect -destkeystore "/path/to/NEW/keystore/.keystore" -srckeystore "/path/to/certificates/enforce.pfx" -srcstoretype PKCS12 -srcstorepass password_for_pfx
3. Make sure the certs imported correctly using the following command: keytool -list -v -keystore /path/to/NEW/eystore/.keystore
4. Find the imported certs alias.  Typically it will be a UID or the FQDN for the server.
5. To change the alias, use the following command: keytool -changealias -alias "ORIGINAL_ALIAS_FROM_PREVIOUS_STEP" -destalias "tomcat" -keystore "/path/to/NEW/keystore/.keystore" -storepass protect
6. Move the new keystore into the enforce tomcat directory.
   Example: <DRIVE>\Program Files\Symantec\DataLossPrevention\EnforceServer\<VERSION>\Protect\tomcat\conf\.keystore
7. Recycle the DLP Manager service

Enforce should now be using the newly created certificates.