Creating a CSR for Prevent Email in DLP

NOTE: As always, ensure you have a recent backup and read the Symantec Data Loss Prevention documentation prior to changing your configuration.
Customers can use the Java keytool to create a CSR and send to a CA. If using certs from CA there shouldn't be a need to import the Prevent Email public certificate into Exchange; though it wouldn't hurt.
  1. Check the certificates present in the keystore file using following command
    keytool -list -keystore C:\Vontu\Protect\keystore\prevent.ks

    For verbose option, add “-v” in the command.

  2. Stop the VontuMonitor service. Note: Email flow will be impacted.

  3. Copy the keystore file, prevent.ks, to prevent.ks.old. (This was done so we can have a fresh prevent.ks and not worry about the junk they had previously added)

  4. Create the keypair for SMTP Prevent Server using keytool.
    keytool -genkeypair -alias < SMTPPreventHostName > -dname "CN=<SMTPPreventHostName>, OU=Corporate, O=companyname, L=city, S=state, C=US" -keyalg RSA -validity <NumberOfDays> -keysize 2048 -keystore /opt/SymantecDLP/Protect/keystore/prevent.ks

    1. Replace the SMTPPreventHostName with SMTP Prevent host’s FQDN. This value is also used in CN.
    2. Verify the -dname options with Standard Register. As an alternate, this field can be removed and entered manually on command prompt.
    3. Replace the NumberOfDays with actual number of days this key pair will be valid for.
    4. Make sure keystore and keypair passwords are same. The keystore password will be configured in the management console.

  5. Generate the certificate signature request ( prevent_csr_request.csr file) from the SMTP Prevent Server.
    keytool -certreq -alias < SMTPPreventHostName >-file /opt/SymantecDLP/Protect/keystore/prevent_csr_request.csr -keystore /opt/SymantecDLP/Protect/keystore/prevent.ks

  6. Use this prevent_csr_request.csr file to get the certificate issued by CA.

  7. Import the Issuing Root CA as trusted cert in keystore file.
    keytool -importcert -trustcacerts -alias <TrustedCertAlias> -file /opt/SymantecDLP/Protect/keystore/<TrustedCert_File.cer> -keystore /opt/SymantecDLP/Protect/keystore/prevent.ks

    Note: TrustedCert_File.cer is the file which contains trusted CA certificate. You might have to repeat this step if there are intermediate or sub-CAs in the certificate chain

  8. Import the certificate issued to SMTP Prevent server in keystore file.
    keytool -importcert -alias <SMTPPreventHostName> -file /opt/SymantecDLP/Protect/keystore/<Certificate_Issued.cer> -keystore /opt/SymantecDLP/Protect/keystore/prevent.ks

  9. Import the next hop certificate in SMTP Prevent keystore file. The certificate can be retrieved using openssl.
    keytool -importcert -trustcacerts -alias -file /opt/SymantecDLP/Protect/keystore/<fope.cer> -keystore /opt/SymantecDLP/Protect/keystore/prevent.ks

  10. Start the VontuMonitor service
Have more questions? Submit a request


Please sign in to leave a comment.