Certificate expiry assistance
search cancel

Certificate expiry assistance


Article ID: 273036


Updated On:


Data Loss Prevention Core Package Data Loss Prevention Data Loss Prevention Enterprise Suite Data Loss Prevention Enforce Data Loss Prevention Plus Suite


You are currently trying to renew certificate for dlp web console, and have used the following documentation:

 Create, sign, and import an SSL certificate signed by a Trusted Certificate Authority for the Enforce Server certificate (broadcom.com)

Howeer, you were unable to correctly apply the command:

<DRIVE>:\Program Files\AdoptOpenJRE\jdk8u<version>-jre\bin\keytool -genkeypair -alias tomcat -keyalg RSA -keysize 2048 -validity 720 -dname "CN=<servername>, OU=XXX, O=SYMANTEC, L=SANJOSE, ST=California, C=US" -ext SAN=DNS:<servername>,DNS:<domainname>,DNS:<FQDN>,IP:<IPAddress> -keystore <DRIVE>:\EnforceCert\.keystore -storepass XXXXXXXX 

You need more information to determine what is referred to as the <IPAddress> - i.e., is that the DNS IP or Server IP?

You also have questions about the "DNS:<FQDN>" setting - i.e., is that DNS FQDN or Server FQDN?


Release : 16.0


Configuration issue in terms of the certificate on the environment.


One example for the Enforce Server console and Enforce Server FQDN is "dlp.example.com" and it's IP is <>.

To clarify, using an example the dlp app is on an asset <dlp.example.com> and IP <>
the command to be implemented becomes:

<DRIVE>:\Program Files\AdoptOpenJRE\jdk8u<version>-jre\bin\keytool -genkeypair -alias tomcat -keyalg RSA -keysize 2048 -validity 720 -dname "CN=dlp, OU=DLP, O=EXAMPLE, L=Cupertino, ST=California, C=US" -ext SAN=DNS:dlp,DNS:example.com,DNS:dlp.example.com,IP: -keystore E:\EnforceCert\.keystore -storepass xxxxxxxx

Additional Information

Additional confirmation of which Dname to supply may need to be obtained from IT teams who work with your server environment.