About sslkeytool Command Line Options
The sslkeytool is a command-line utility that generates a unique pair of SSL certificates (keystore files).
The sslkeytool utility is located in the directory based on your platform:
- Windows:c:\Program Files\Symantec\DataLossPrevention\EnforceServer\15.8.00000\Protect\bin
- Linux:/opt/Symantec/DataLossPrevention/EnforceServer/15.8.00000/protect/bin
It must run under the
Symantec Data Loss Prevention
operating system user account which, by default, is “protect.” Also, you must run the sslkeytool utility directly on the Enforce Server computer.The following table lists the command forms and options that are available for the sslkeytool utility:
Command and options | Description |
|---|---|
sslKeyTool -genkey [-dir=<directory> -alias=<aliasFile>] | You use this command form the first time you generate unique certificates for your Symantec Data Loss Prevention installation.This command generates two unique certificates (keystore files) by default: one for the Enforce Server and one for other detection servers. The optional -dir argument specifies the directory where the keystore files are placed. The optional -alias argument generates additional keystore files for each alias specified in the aliasFile . You can use the alias file to generate unique certificates for each detection server in your system (rather than using a same certificate on each detection server). |
sslKeyTool -list=<file> | This command lists the content of the specified keystore file. |
sslKeyTool -alias=<aliasFile> -enforce=<enforceKeystoreFile> [-dir=<directory>] | You use this command form to add new detection server certificates to an existing Symantec Data Loss Prevention installation.This command generates multiple certificate files for detection servers using the aliases you define in aliasFile . You must specify an existing Enforce Server keystore file to use when generating the new detection server keystore files. The optional -dir argument specifies the directory where the keystore files are placed. If you do not specify the -dir option, the Enforce Server keystore file must be in the current directory, and the monitor certificates will appear in the current directory. If you do specify the -dir argument, you must also place the Enforce Server keystore file in the specified directory. |
The following table provides examples that demonstrate the usage of the sslkeytool command forms and options.
Example | Description |
|---|---|
sslkeytool -genkey | This command generates two files:
Unless you specified a different directory with the -dir argument, these two keystore files are created in the bin directory where the sslkeytool utility resides. |
sslkeytool -alias=Monitor.list.txt -enforce=enforce.date.sslkeystore | Without the directory option -dir , the Enforce Server certificate must be in the current directory. The new detection server certificate(s) will be created in the current directory. |
Windows: sslkeytool -alias=Monitor.list.txt -enforce=enforce.date.sslkeystore -dir=C:\TEMP Linux: sslkeytool -alias=Monitor.list.txt -enforce=enforce.date.sslkeystore -dir=opt/temp | With the directory option -dir=C:\TEMP for Widnows or -dir=opt/temp for Linux, the Enforce Server certificate must be in the C:\TEMP opt/temp directory, respectively. The new detection server certificate(s) will be created in the C:\TEMP or opt/temp directory.Use the absolute path for the -dir option unless the path is relative to the current directory. |