- Once you receive the signed Certificate, you simply need to import it into the same keystore.

**Note: The Certificate MUST be imported into the SAME keystore that the CSR was generated from. This is because it must have both the Public and Private portions of the certificate.
**Note: When you import the Certificate you MUST import it as the same name as the original Certificate (default: tomcat). This is because the certificate MUST contain both the public and private portions of the certificate. The self-signed portion of the certificate contains the private key, while the CA Signed portion that was sent back will contain the public key to be used.

- To import the Certificate go back to the Main Menu and select the appropriate option for importing your specific certificate type (most will fall under #8 Import Certificate).

- You will be prompted for the full filename and path for the Certificate. ( You must specify the FULL path INCLUDING the filename ( No parenthesis)

For example: C:\Users\Administrator\Desktop\Certificates\TomCat.cer

- You will then be prompted for the "Alias" name. As mentioned this alias name by default should be "tomcat". ( this would be the Alias name we created the CSR from )

- You will then be prompted for the .keystore password (default: protect) ( you must ENTER the password here )
That's it, your keystore should now be ready.

Manual Command: "<full path to keytool.exe>" -importcert -trustcacerts -alias "<cert alias>" -file <full path to the certificate file> -keystore <full path to keystore> -storepass <keystore pass>

-- If you see the following error when you import your certificate:

**If you use a .P7B you will not see this error because the certificate chain is already included in the .P7B file

You will need to import the root and intermediate certificates first.

Open your certificate and go to Certification Path:

Select your ROOT CA and hit “View Certificate”

Select Details:

Select “Copy to File”

You will see the Wizard above and follow the prompts. Select “Next”

We will leave it default .CER - Select “Next”

 Speficy your file name, in this instance rootCA.cer

***.cerBy default it will put it in the same directory as the certificate file you opened

Now select “Finish” to complete the export of the RootCA

You will need to follow the same process for the intermediateCA certificate.

Now we will import the certificate, starting with ROOT first, then Intermediate, then server certificate

At the Cert Menu, select 8

In put the alias name ( your choice, but the start of the chain is the “root” )

You will then be asked “Trust this Certificate” and type “yes”

You will see confirmation of the Root being added to the keystore

Now complete the same process for intermediate ( once you trust the root certificate, anything signed by the root certificate is automatically trusted )

Then complete the same process for the tomcat.cer

And now your ready to update your keystore on the Enforce Server:

APPLY THE CERTIFICATE TO YOUR ENVIRONMENT
To apply the new keystore we should go through the following steps...
- Stop the DLP Services (specifically the Manager Service)
- Backup your existing(production) keystore
     Default: C:\Program Files\Symantec\DataLossPrevention\EnforceServer\<DLPVersion>\Protect\tomcat\conf\.keystore

- Replace your production .keystore with your working .keystore
     Production: C:\Program Files\Symantec\DataLossPrevention\EnforceServer\16.0.10000\Protect\tomcat\conf\.keystore
     Working: C:\Users\Administrator\Desktop\Certificates\.keystore
     **Note: The working keystore should exist wherever you ran the certificates.bat file from. The above example is where mine was run from, but yours may exist in a different location.
- Once the production .keystore has been replaced with the working .keystore, you simply need to restart the DLP Services in order for the new certificate to take effect.
**Note: If you run into any problems with the new keystore, simply restore your original production .keystore which you should have backed up before replacing. You must restart the services again before the original certificates will be restored.

CONFIRM THE CERTIFICATE IS BEING PRESENTED APPROPRIATELY
- When the login screen loads (this usually takes roughly 60 seconds after a service restart) you should see a lock icon in your browser just to the left of your URL

- First, if the lock is showing as locked like it is in the above screenshot, then the certificate is trusted which is a good sign.
- If the lock is showing as unlocked, then the certificate is not trusted.
- Click on the lock, and you should see an option to View/Open the certificate being presented.

- You can then confirm the details of the certificate match your new certificate.
- If you need more specific confirmation you can match the SHA256 value from your new certificate to the one being presented in the browser.

From the Browser Certificate:

From the .keystore Certificate:

- Here we can see that both the SHA1 and SHA256 match with the two certificates, which confirms the certificate being presented in the browser is the same one that we added in the .keystore.