How Can We Help?

Search for answers or browse our knowledge base.

Documentation | Demos | Support

< All Topics

How to create, sign, and import an SSL certificate signed by a Trusted Certificate Authority

Keytool.exe location

  • Windows:
    • 14.x and 15.0: <DRIVE>:SymantecDLPjrebin
    • 15.1: <DRIVE>:Program FilesSymantecData Loss PreventionServer JRE1.8.0_162bin
    • 15.5: <DRIVE>:Program FilesSymantecDataLossPreventionServerJRE1.8.0_181​bin
  • Linux:
    • 14.x and 15.0: /opt/SymantecDLP/jre/bin/
    • 15.1: ​/opt/Symantec/DataLossPrevention/Enforce Server/15.1/jre/bin/
    • 15.5: /opt/Symantec/DataLossPrevention/ServerJRE/1.8.0_181/bin

Note: On Linux, execute ./keytool

.keystore location

  • Windows:
    • 14.x and 15.0: <DRIVE>:​SymantecDLPProtecttomcatconf
    • 15.1: <DRIVE>:Program FilesSymantecData Loss PreventionEnforce Server15.1Protecttomcatconf
    • 15.5: <DRIVE>:Program FilesSymantecDataLossPreventionEnforceServer15.5Protecttomcatconf
  • Linux:
    • 14.x and 15.0: /opt/SymantecDLP/Protect/tomcat/conf
    • 15.1: ​/opt/Symantec/DataLossPrevention/Enforce Server/Protect/tomcat/conf
    • 15.5: /opt/Symantec/DataLossPrevention/EnforceServer/Protect/tomcat/conf​


  • In Linux, all commands must be executed as root.
  • In Windows, all commands need to be executed via CLI with Admin access.
  • Command to see the hidden “.keystore” file: ls -la
  • As per the DLP Admin Guide (p. 151 in 15.7 version), the Tomcat store uses a X.509 certificate must be provided in Distinguished Encoding Rules (DER) format – which is a .cer file.
  • The instructions below involve chained certs, when the Root or Intermediate CAs are required – i.e., “the Signed” certificate. The format of using a .p7b file therefore applies in that instance – otherwise, the cert is unsigned, and one would simply import the .cer file.


  1. Back up existing keystore.
    • Windows command:  copy <14.x/15.0/15.1/15.5 file path>.keystore <14.x/15.0/15.1/15.5 file path>keystore.bkup
      • 14.x and 15.0: C:Protecttomcatconf
      • 15.1: ​C:Program FilesSymantecData Loss PreventionEnforce Server15.1Protecttomcatconf
      • 15.5: C:Program FilesSymantecDataLossPreventionEnforceServer15.5Protecttomcatconf
    • Linux command:  cp  <14.x15.015.115.5 file path>/.keystore <14.x15.015.115.5 file path>/keystore.bkup
      • 14.x and 15.0: /opt/SymantecDLP/protect/tomcat/conf
      • 15.1: /opt/Symantec/DataLossPrevention/Enforce Server/15.1/Protect/tomcat/conf​
      • 15.5: /opt/Symantec/DataLossPrevention/EnforceServer/15.5/Protect/tomcat/conf​
  2. Generate a new keystore file with the required parameters, and register the certificate.
    • Windows command: <14.x15.015.115.5 file path>keytool -genkeypair -alias tomcat -keyalg RSA -keysize 2048 -keystore SymantecDLPjrebin.keystore -validity 365 -storepass protect -dname "CN=SERVERNAME, OU=DLP, O=SYMANTEC, L=Cupertino, ST=California, C=US"​
      • 14.x and 15.0 keytool path: C:SymantecDLPjrebin
      • 15.1 keytool path: C:Program FilesSymantecData Loss PreventionEnforce Server15.1jrebin
      • 15.5 keytool path: C:Program FilesSymantecDataLossPreventionServerJRE1.8.0_181bin​
      • 14.x and 15.0 .keystore path
  3. Generate a CSR file
    • SymantecDLPjrebinkeytool -certreq -alias tomcat -keyalg RSA -keystore .keystore -storepass protect -file "VontuEnforce.csr"
  4. Send VontuEnforce.csr to CA admin, so they can generate a chained cert file in the current format.
  5. Copy the VontuEnforce.p7b chained cert file to SymantecDLPjrebin.
  6. Import the chained certificate.
    • SymantecDLPjrebinkeytool -import -alias tomcat -keystore SymantecDLPjrebin.keystore -trustcacerts -file SymantecDLPjrebinVontuEnforce.p7b
    • Enter the keystore password.
      • Top-level certificate in reply:
        Owner: XXXXXX
        Issuer: XXXXXX
        Serial number: XXXXXX
        Valid from: XXXXXX until: XXXXXX
        Certificate fingerprints:
        MD5:  **Deleted**
        SHA1: **Deleted**
        … is not trusted. Install reply anyway? [no]:
    • Type Y or YES and press ENTER.
    • Certificate reply was installed in keystore.
  7. Copy the .keystore file from the source to its final destination.
    • copy SymantecDLPjrebin.keystore Protecttomcatconf.keystore​​
  8. Restart the Vontu Manager (14.x and 15.0) or Symantec DLP Manager (15.1 and 15.5) service.


If you change the keystore password from the default, ‘protect’ when generating a new keystore, you must update the password values in the following two files:

    1. <InstallPath>SymantecDataLossPreventionEnforceServer15.5Protecttomcatconfserver.xml
      •         <Certificate certificateKeystoreFile=”${catalina.base}/conf/.keystore” certificateKeystorePassword=”protect”/>
    2. <InstallPath>
      • # keystore password
        com.vontu.manager.tomcat.keystore.password = protect
Was this article helpful?
0 out of 5 stars
5 Stars 0%
4 Stars 0%
3 Stars 0%
2 Stars 0%
1 Stars 0%
How can we improve this article?
Please submit the reason for your vote so that we can improve the article.
Previous How to create users in Symantec DLP
Next How to create, start & stop Discover scans in Symantec DLP
Table of Contents