How Can We Help?

Search for answers or browse our knowledge base.

Documentation | Demos | Support

< All Topics

How to create, sign, and import an SSL certificate signed by a Trusted Certificate Authority

Keytool.exe location

  • Windows:
    • 14.x and 15.0: <DRIVE>:SymantecDLPjrebin
    • 15.1: <DRIVE>:Program FilesSymantecData Loss PreventionServer JRE1.8.0_162bin
    • 15.5: <DRIVE>:Program FilesSymantecDataLossPreventionServerJRE1.8.0_181​bin
  • Linux:
    • 14.x and 15.0: /opt/SymantecDLP/jre/bin/
    • 15.1: ​/opt/Symantec/DataLossPrevention/Enforce Server/15.1/jre/bin/
    • 15.5: /opt/Symantec/DataLossPrevention/ServerJRE/1.8.0_181/bin

Note: On Linux, execute ./keytool

.keystore location

  • Windows:
    • 14.x and 15.0: <DRIVE>:​SymantecDLPProtecttomcatconf
    • 15.1: <DRIVE>:Program FilesSymantecData Loss PreventionEnforce Server15.1Protecttomcatconf
    • 15.5: <DRIVE>:Program FilesSymantecDataLossPreventionEnforceServer15.5Protecttomcatconf
  • Linux:
    • 14.x and 15.0: /opt/SymantecDLP/Protect/tomcat/conf
    • 15.1: ​/opt/Symantec/DataLossPrevention/Enforce Server/Protect/tomcat/conf
    • 15.5: /opt/Symantec/DataLossPrevention/EnforceServer/Protect/tomcat/conf​


  • In Linux, all commands must be executed as root.
  • In Windows, all commands need to be executed via CLI with Admin access.
  • Command to see the hidden “.keystore” file: ls -la
  • As per the DLP Admin Guide (p. 151 in 15.7 version), the Tomcat store uses a X.509 certificate must be provided in Distinguished Encoding Rules (DER) format – which is a .cer file.
  • The instructions below involve chained certs, when the Root or Intermediate CAs are required – i.e., “the Signed” certificate. The format of using a .p7b file therefore applies in that instance – otherwise, the cert is unsigned, and one would simply import the .cer file.


  1. Back up existing keystore.
    • Windows command:  copy <14.x/15.0/15.1/15.5 file path>.keystore <14.x/15.0/15.1/15.5 file path>keystore.bkup
      • 14.x and 15.0: C:Protecttomcatconf
      • 15.1: ​C:Program FilesSymantecData Loss PreventionEnforce Server15.1Protecttomcatconf
      • 15.5: C:Program FilesSymantecDataLossPreventionEnforceServer15.5Protecttomcatconf
    • Linux command:  cp  <14.x15.015.115.5 file path>/.keystore <14.x15.015.115.5 file path>/keystore.bkup
      • 14.x and 15.0: /opt/SymantecDLP/protect/tomcat/conf
      • 15.1: /opt/Symantec/DataLossPrevention/Enforce Server/15.1/Protect/tomcat/conf​
      • 15.5: /opt/Symantec/DataLossPrevention/EnforceServer/15.5/Protect/tomcat/conf​
  2. Generate a new keystore file with the required parameters, and register the certificate.
    • Windows command: <14.x15.015.115.5 file path>keytool -genkeypair -alias tomcat -keyalg RSA -keysize 2048 -keystore SymantecDLPjrebin.keystore -validity 365 -storepass protect -dname "CN=SERVERNAME, OU=DLP, O=SYMANTEC, L=Cupertino, ST=California, C=US"​
      • 14.x and 15.0 keytool path: C:SymantecDLPjrebin
      • 15.1 keytool path: C:Program FilesSymantecData Loss PreventionEnforce Server15.1jrebin
      • 15.5 keytool path: C:Program FilesSymantecDataLossPreventionServerJRE1.8.0_181bin​
      • 14.x and 15.0 .keystore path
  3. Generate a CSR file
    • SymantecDLPjrebinkeytool -certreq -alias tomcat -keyalg RSA -keystore .keystore -storepass protect -file "VontuEnforce.csr"
  4. Send VontuEnforce.csr to CA admin, so they can generate a chained cert file in the current format.
  5. Copy the VontuEnforce.p7b chained cert file to SymantecDLPjrebin.
  6. Import the chained certificate.
    • SymantecDLPjrebinkeytool -import -alias tomcat -keystore SymantecDLPjrebin.keystore -trustcacerts -file SymantecDLPjrebinVontuEnforce.p7b
    • Enter the keystore password.
      • Top-level certificate in reply:
        Owner: XXXXXX
        Issuer: XXXXXX
        Serial number: XXXXXX
        Valid from: XXXXXX until: XXXXXX
        Certificate fingerprints:
        MD5:  **Deleted**
        SHA1: **Deleted**
        … is not trusted. Install reply anyway? [no]:
    • Type Y or YES and press ENTER.
    • Certificate reply was installed in keystore.
  7. Copy the .keystore file from the source to its final destination.
    • copy SymantecDLPjrebin.keystore Protecttomcatconf.keystore​​
  8. Restart the Vontu Manager (14.x and 15.0) or Symantec DLP Manager (15.1 and 15.5) service.


If you change the keystore password from the default, ‘protect’ when generating a new keystore, you must update the password values in the following two files:

    1. <InstallPath>SymantecDataLossPreventionEnforceServer15.5Protecttomcatconfserver.xml
      •         <Certificate certificateKeystoreFile=”${catalina.base}/conf/.keystore” certificateKeystorePassword=”protect”/>
    2. <InstallPath>
      • # keystore password
        com.vontu.manager.tomcat.keystore.password = protect
Was this article helpful?
0 out of 5 stars
5 Stars 0%
4 Stars 0%
3 Stars 0%
2 Stars 0%
1 Stars 0%
How can we improve this article?
Please submit the reason for your vote so that we can improve the article.
Table of Contents