You need to import a created certificate from a Trusted Certificate Authority into the Enforce Server console.

There are 2 methods to update the keystore. 

Method 1: Use a CSR and have your CA sign it, then import it into the a keystore for use with DLP. That process is outlined in the following KB:

Create, sign, and import an SSL certificate signed by a Trusted Certificate Authority for the Enforce Server certificate (broadcom.com)

Method 2: Get a new certificate pair right from your CA in a .pfx keystore format and then import it into the a keystore for use with DLP

• Get the new certificate in a pfx format from your CA.
  • If you are going to change the keystore type, then the private key password of the cert needs to be the current keystore password (default "protect")
  • If you plan to export/import from the pfx to the .keystore, then any password will be fine.
• Create a new keystore with the certificates
  • First create a directory called NEW under root drive as we will place new keystore and all files in this directory.
  • keytool -importkeystore -deststorepass protect -destkeypass protect -destkeystore "/path/to/NEW/keystore/.keystore" -srckeystore "/path/to/certificates/enforce.pfx" -srcstoretype PKCS12 -srcstorepass password_for_pfx
• make sure the certs imported correctly
  • keytool -list -v -keystore /path/to/keystore/.keystore
  • Find the imported certs alias.  Typically it will be a UID or the FQDN for the server.
• keytool -changealias -alias "ORIGINAL_ALIAS_FROM_PREVIOUS_STEP" -destalias "tomcat" -keystore "/path/to/NEW/keystore/.keystore" -storepass protect
• move the new keystore into the enforce tomcat directory
  • <DRIVE>\Program Files\Symantec\DataLossPrevention\EnforceServer\<VERSION>\Protect\tomcat\conf\.keystore
• Recycle the DLP Manager service

Enforce should now be using the newly created certificates.