How to check expiration date of the Enforce server root certificate and/or the Endpoint Agent certificate.
search cancel

How to check expiration date of the Enforce server root certificate and/or the Endpoint Agent certificate.

book

Article ID: 273561

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

You are looking for a way to check the validity period of your Enforce server root certificate, also known as DLP Root Certification Authority, which is used to sign certificates used within the DLP product. This root certificate is used, for example, to sign Endpoint Agent certificates as well as detection server certificates. This article focuses on the Endpoint certificate along with the Enforce root certificate. Additionally a method to display the details of the Endpoint Prevent server certificate is described as it plays a vital role in the communication.

For more details on the endpoint certificates you may refer to the link below:

About secure communications between DLP Agents and Endpoint Servers upgrade (broadcom.com)

 

This article describes the use of keytool.exe utility which is by default shipped with the AdoptOpenJRE installed on the Enforce server during the deployment process. It is a prerequisite for the Enforce server to work so it should be present on any install. Other tools can be used as per personal preference.

Environment

Release : 16.0

Resolution

The below instructions reference default file paths in DLP 16.0. If you are using a different version you will have to adjust accordingly.

 

Enforce server root certificate

 

1. Open Command Prompt (cmd.exe) as an administrator on the Enforce server

2. Change the directory to the bin folder of most recent AdoptOpenJRE installation. The path may differ based on the installation options chosen during deployment of the server. The default path as per the installation manual is:

C:\Program Files\AdoptOpenJRE\jdk<version>-jre.

3. Find the path to the certificate_authority_v1.jks on the Enforce server. By default it will be located in:

C:\ProgramData\Symantec\DataLossPrevention\EnforceServer\16.0.00000\keystore\

3. Execute the following command:

keytool.exe -list -keystore C:\ProgramData\Symantec\DataLossPrevention\EnforceServer\16.0.00000\keystore\certificate_authority_v1.jks -v

4. When asked for password leave it blank and hit Enter. Note that the keystore is password protected for any modification or manipulation, however listing the properties does not require one.

5. The details of the keystore, along with the Enforce server root certificate will be printed on the screen. The validity dates of the certificate will be shown the row saying "Valid from: <date> until <date>" as presented on the screenshot below:

 

Endpoint Agent certificate

The Endpoint Agent certificate is created and placed in the Agent package whenever Agent packaging feature of the Enforce server is used. It is by default named endpoint_cert.pem. This example will use the same default paths for DLP 16.0 on an Enforce server. If another version is in use adjust accordingly.

1. Copy the agent package to the Enforce server, or any other machine where keytool.exe is present.

2. Extract the package.

3. Open Command Prompt (cmd.exe) as an administrator on the Enforce server

4. Change the directory to the bin folder of most recent AdoptOpenJRE installation. The path may differ based on the installation options chosen during deployment of the server. The default path as per the installation manual is:

C:\Program Files\AdoptOpenJRE\jdk<version>-jre.

5. Run the following command:

keytool.exe -printcert -file C:\EnforceShare\AgentInstaller_Win64_16_0\endpoint_cert.pem -v

6. Details of the certificate will be printed on the screen. Similarly to the Enforce certificate the validity dates of the certificate will be shown the row saying "Valid from: <date> until <date>" as presented on the screenshot below:

 

Endpoint Prevent server certificate

This certificate is installed on the Endpoint Prevent server during it's deployment. It usually will have the shortest validity period from the already mentioned certificates, which by default is 5 years. However, those certificates are refreshed with product upgrades, so if the lifecycle of upgrades in the organization is less than 5 years it should not be a problem at any point.

The easiest way to check the details of this certificate is by the use of a web browser.

1. Open a browser of preference. In this example Microsoft Edge is used. Note that it must be a machine which can access the Endpoint Prevent server on the default agent communication port which is 10443. It can also be opened locally on the Endpoint Prevent server which will ensure that port openings are not an obstacle.

2. Navigate to the below URL. Replace <DetectionServerFQDN> with the FQDN of your Endpoint Prevent server.

https://<DetectionServerFQDN>:10443

for example:

https://endpointserver.example.com:10443

3. You will be prompted that the connection is not secure, you can ignore this message as this is not a website to be accessed with a browser.

4. Click on the "Not secure" button in the navigation bar of the browser and then on the bar saying "Your connection isn't secure":

5. Click on the "Show certificate" button in the top section of the newly displayed window:

6. Details of the certificate will be displayed on the screen. The validity of the certificate will be present in the "Validity Period" section, where "Issues On" is the validity from and "Expires On" is the end of validity of the certificate:

 

Additional Information

Starting from DLP 16.0 it is also possible to implement 3rd party certificates for the Endpoint communication. For details refer to the below article:

About secure communications between DLP Agents and Endpoint Servers upgrade (broadcom.com)

Powered by Wolken Software