Replace or update the default Self-Signed or 3rd (Third) Party Certificate used by the LiveUpdate Administrator (LUA) server for HTTPS communications.

LiveUpdate Administrator

The LUA Tomcat server uses a Java keystore (JKS) to securely house its public and private key pair. This file is password protected with a proprietary password. You must create a new JKS file, and generate or obtain a new certificate to replace the LUA certificate. LUA supports both self-signed certificates and Certificate Authority (CA) signed certificates.

Obtain a new certificate

Most large organizations have specific Public Key Infrastructure (PKI) requirements. Work with the PKI experts in your organization to determine what type of certificate you require: a self-signed certificate, an internal CA-signed certificate, or a public CA-signed certificate. Generate or obtain a new certificate based on your organizational requirements. If you have no organizational PKI requirements, you can use the Java keytool program to generate a new self-signed certificate, or leave the default self-signed certificate in place.

Generate a new JKS

1. Use Java's keytool program to generate a key JKS file named server-cert.ssl.  Keytool is installed in the LiveUpdate Administrator folder structure, typically C:\Program Files (x86)\Symantec\LiveUpdate Administrator\jre\bin\keytool.
2. Make note of the keystore password used when generating the JKS file.  
   
   Note: Avoid using the '&' character in your keystore password.  

note: For more information on the Java keytool, see Oracle's public documentation here: https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html

Import the new certificate

1. Import the new LUA certificate using the same program used to generate the new JKS file
2. For CA-signed certificates signed by an untrusted intermediary CA that chains to a trusted root CA, import the intermediary CA certificate(s)

Replace server-cert.ssl

1. Save a backup copy of the original server-cert.ssl file (C:\Program Files (x86)\Symantec\LIveUpate Administrator\server-cert.ssl by default)
2. Replace the original server-cert.ssl with the newly generated JKS file created above

Encrypt the keystore password

1. Open a command prompt as Administrator
2. Change directories to the LUA WEB-INF library folder (C:\Program Files (x86)\Symantec\LiveUpdate Administrator\tomcat\webapps\lua\WEB-INF\lib by default)
3. Run the following command:

   
   "C:\Program Files (x86)\Symantec\LiveUpdate Administrator\jre\bin\java.exe" -cp ssl-lua.jar;commons-codec-1.10.jar;"C:\Program Files (x86)\Symantec\LiveUpdate Administrator\tomcat\lib\tomcat-util.jar" com.symantec.lua.SSLPasswordDecrypt <JKS Password>
   
   

4. Copy the encrypted JKS password output by this command

Update catalina.properties

1. Open catalina.properties (C:\Program Files (x86)\Symantec\LiveUpdate Administrator\tomcat\conf\catalina.properties by default) in a text editor
2. Change the ks.password value to the new encrypted keystore password output in the previous steps
3. Save the changes and restart the LUA Apache Tomcat service

Note: Customization of the LUA's default certificate is unsupported by Symantec support.