One needs information on how to export a DC certificate, in addtion to importing the certificate to be used for the SSIM Agent/Collector for encrypted communications.
When setting up a DC: Under Server Manager > Role Summary > Add Roles in Windows Server 2008, “Active Directory Certificate Services” and “Active Directory Domain Services” need to be installed prior to the steps below. You may need to add one role at a time since adding both at the same time is not possible. May require reboots in between adding roles.
Receive the Certificate
- Install the agent and bootstrap to the Symantec Security Information Manager (SSIM).
- Click Start > Run and type mmc in the Open text box and click OK.
- In the console, go to File > "Add/Remove Snap-in".
- Select Computer account, click Next
- Select Local computer, and click Finish.
- in the "Add/Remove Snap-ins" window verify that the "Certificates (local computer)" is present in the Selected snap-ins pane, then click OK.
- In the mmc, expand the "Certificates (local computer)" tree and select the Personal subfolder.
- Right click on the Personal folder and select All tasks > Request new certificate
- Select Domain Controller as seen in the screenshot below, then click Enroll.
- On the right, click Details before Finish.
- Click View Certificate and go to the Details tab.
- At the bottom right, click Copy to File.
The export wizard displays. The exported cert is needed later.
- At the "Export Private Key" window, do not export the private key
- On the Export File Format, select DER encoded binary X.509 (CER).
- For File to Export, click Browse and choose a location and name to save the certificate by.
By default certificates are saved to: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
- Click Save.
- Exit the mmc window and save the console, in case you need to access it later.
Now Install the Symantec Event Agent (if it is not already) and the Symantec Microsoft Vista Collector.
Run the keytool command
- Click Start > Run.
- In the Open text box, type cmd and click OK.
- Change directories into the Event Agent\jre\bin directory.
By default this is C:\Program Files\Symantec\Event Agent\jre\bin
- Run the command:
keytool.exe -importcert -trustcacerts -alias <cert-alias-name> -file <Location of exported certificat file> -keystore "C:\Program Files\Symantec\Event Agent\jre\lib\security\cacerts" -storepass changeit
Note: The <cert-alias-name> can be anything you want.