Create, sign, and import an SSL certificate signed by a Trusted Certificate Authority for the Enforce Console Certificate
Article ID: 160518
Data Loss Prevention EnforceData Loss PreventionData Loss Prevention Enterprise SuiteData Loss Prevention Core Package
You need to create, sign, and import a signed SSL certificate for Symantec Data Loss Prevention (DLP) Enforce.
There are 2 main reasons one needs to import a certificate for use in the Enforce Console, as given below:
You wish to import a CA-signed certificate to allow most current browsers to automatically trust the Enforce Server administration console. The complete instructions for setting that up are given in the Windows and Linux Install Guides, in the section "About browser certificates".
You wish to enable certificate authentication that allows users to automatically log on to the Enforce Server administration console. The complete instructions for setting that up are given in the About certificate authentication configuration article.
In Windows, all commands need to be executed via CMD with Admin access.
Command to see the hidden ".keystore" file on Linux: ls -la
The instructions below involve chained certs, when the Root or Intermediate CAs are required - i.e., "the Signed" certificate. The format of using a chained certificate file therefore applies in that instance - otherwise, the cert is unsigned, and one would simply import the .cer file.
Many CAs are issued in the form of chained certs, when the Root or Intermediate CAs are required in a chain that authenticates the signed certificate. Chained cert format should be X509 compliant and presented as a .pem file extension to be used successfully in this particular keystore. Other formats can also be used like p7b.
Back up existing keystore.
Windows command: copy <filepath>\.keystore<filepath>\keystore.bkup
It is important to note that the CSR should have all of the same arguments defined as the creation command. If this information is not defined, then the certificate you get back from your CA may not be valid.
The tomcat.csr can be created anywhere, but in this case we are creating it in our EnforceCert directory.
Send tomcat.csr to CA admin, so they can generate a signed certificate file in the current format. You should request an X509 compliant, chained certificate which contains the CA certs as well.
Copy the providedchained cert file (lets call it tomcat.p7b) to the EnforceCert directory <DRIVE>:\EnforceCert\.
Import the chained certificate.
Note that the following string is one command: <DRIVE>:\Program Files\AdoptOpenJRE\jdk8u<version>-jre\bin\keytool-importcert -alias tomcat -keystore <DRIVE>:\EnforceCert\.keystore -trustcacerts -file <DRIVE>:\EnforceCert\tomcat.p7b
Enter the keystore password.
Top-level certificate in reply:
Owner: XXXXXX Issuer: XXXXXX Serial number: XXXXXX Valid from: XXXXXX until: XXXXXX Certificate fingerprints: MD5: **Deleted** SHA1: **Deleted** ... is not trusted. Install reply anyway? [no]:
Type Y or YES and press ENTER.
Certificate reply was installed in keystore.
Copy the .keystore file from the source (EnforceCert directory) to its final destination (.keystore location).