About sslkeytool Command Line Options

The sslkeytool is a command-line utility that generates a unique pair of SSL certificates (keystore files).
The sslkeytool utility is located in the directory based on your platform:
  • Windows:
    c:\Program Files\Symantec\DataLossPrevention\EnforceServer\
    15.8.00000
    \Protect\bin
  • Linux:
    /opt/Symantec/DataLossPrevention/EnforceServer/
    15.8.00000
    /protect/bin
It must run under the
Symantec Data Loss Prevention
operating system user account which, by default, is “protect.” Also, you must run the sslkeytool utility directly on the Enforce Server computer.
The following table lists the command forms and options that are available for the sslkeytool utility:
sslKeyTool Command Forms and Options
Command and options
Description
sslKeyTool -genkey [-dir=<directory> -alias=<aliasFile>]
You use this command form the first time you generate unique certificates for your
Symantec Data Loss Prevention
installation.
This command generates two unique certificates (keystore files) by default: one for the Enforce Server and one for other detection servers. The optional
-dir
argument specifies the directory where the keystore files are placed.
The optional
-alias
argument generates additional keystore files for each alias specified in the
aliasFile
. You can use the alias file to generate unique certificates for each detection server in your system (rather than using a same certificate on each detection server).
sslKeyTool -list=<file>
This command lists the content of the specified keystore file.
sslKeyTool -alias=<aliasFile> -enforce=<enforceKeystoreFile> [-dir=<directory>]
You use this command form to add new detection server certificates to an existing
Symantec Data Loss Prevention
installation.
This command generates multiple certificate files for detection servers using the aliases you define in
aliasFile
. You must specify an existing Enforce Server keystore file to use when generating the new detection server keystore files. The optional
-dir
argument specifies the directory where the keystore files are placed.
If you do not specify the
-dir
option, the Enforce Server keystore file must be in the current directory, and the monitor certificates will appear in the current directory. If you do specify the
-dir
argument, you must also place the Enforce Server keystore file in the specified directory.
The following table provides examples that demonstrate the usage of the sslkeytool command forms and options.
sslKeyTool Examples
Example
Description
sslkeytool -genkey
This command generates two files:
  • enforce.
    timestamp
    .sslKeyStore
  • monitor.
    timestamp
    .sslKeyStore
Unless you specified a different directory with the
-dir
argument, these two keystore files are created in the
bin
directory where the sslkeytool utility resides.
sslkeytool -alias=Monitor.list.txt -enforce=enforce.date.sslkeystore
Without the directory option
-dir
, the Enforce Server certificate must be in the current directory. The new detection server certificate(s) will be created in the current directory.
Windows:
sslkeytool -alias=Monitor.list.txt -enforce=enforce.date.sslkeystore -dir=C:\TEMP
Linux:
sslkeytool -alias=Monitor.list.txt -enforce=enforce.date.sslkeystore -dir=opt/temp
With the directory option
-dir=C:\TEMP
for Widnows or
-dir=opt/temp
for Linux, the Enforce Server certificate must be in the
C:\TEMP
opt/temp
directory, respectively. The new detection server certificate(s) will be created in the
C:\TEMP
or
opt/temp
directory.
Use the absolute path for the
-dir
option unless the path is relative to the current directory.