There are 2 methods to update the keystore.
Method 1: Use a CSR and have your CA sign it, then import it into the a keystore for use with DLP. That process is outlined in the following KB:
Create, sign, and import an SSL certificate signed by a Trusted Certificate Authority for the Enforce Server certificate (broadcom.com)
Method 2: Get a new certificate pair right from your CA in a .pfx keystore format and then import it into the a keystore for use with DLP
- Get the new certificate in a pfx format from your CA.
- If you are going to change the keystore type, then the private key password of the cert needs to be the current keystore password (default "protect")
- If you plan to export/import from the pfx to the .keystore, then any password will be fine.
- Create a new keystore with the certificates
- First create a directory called NEW under root drive as we will place new keystore and all files in this directory.
- keytool -importkeystore -deststorepass protect -destkeypass protect -destkeystore "/path/to/NEW/keystore/.keystore" -srckeystore "/path/to/certificates/enforce.pfx" -srcstoretype PKCS12 -srcstorepass password_for_pfx
- make sure the certs imported correctly
- keytool -list -v -keystore /path/to/keystore/.keystore
- Find the imported certs alias. Typically it will be a UID or the FQDN for the server.
- keytool -changealias -alias "ORIGINAL_ALIAS_FROM_PREVIOUS_STEP" -destalias "tomcat" -keystore "/path/to/NEW/keystore/.keystore" -storepass protect
- move the new keystore into the enforce tomcat directory
- <DRIVE>\Program Files\Symantec\DataLossPrevention\EnforceServer\<VERSION>\Protect\tomcat\conf\.keystore
- Recycle the DLP Manager service
Enforce should now be using the newly created certificates.