DLP 15.8 Enforce server.

PFX certificate.

When we export certificate in PFX, ensure that "Export all extended properties" option is selected. If this option was not selected then import the certificate into Windows store and then export again with "Export all extended properties" option selected as shown in attachment. 

Get a new certificate pair from your CA in .pfx format and then import it into the a keystore for use. 

1. Get the new certificate in a pfx format from your CA.

2. Create a new keystore with the certificates.

a. First create a directory called NEW under root drive as we will place new keystore and all files in this directory.
b. keytool -importkeystore -deststorepass protect -destkeypass protect -destkeystore "/path/to/NEW/keystore/.keystore" -srckeystore "/path/to/certificates/enforce.pfx" -srcstoretype PKCS12 -srcstorepass password_for_pfx

3. Make sure the certificate is imported correctly.

c. keytool -list -v -keystore /path/to/keystore/.keystore
d. Find the imported certs alias.  Typically it will be a UID or the FQDN for the server.

4. Keytool -changealias -alias "ORIGINAL_ALIAS_FROM_PREVIOUS_STEP" -destalias "tomcat" -keystore "/path/to/NEW/keystore/.keystore" -storepass protect

5. Move the new keystore into the enforce tomcat directory
e. <DRIVE>\Program Files\Symantec\DataLossPrevention\EnforceServer\<VERSION>\Protect\tomcat\conf\.keystore

6. Recycle the DLP manager service

Enforce should now be using the newly created certificates.