Video Screencast Help

No keystore.jks file - Need to import certificate

Created: 11 Feb 2013 • Updated: 12 Feb 2013 | 12 comments
This issue has been solved. See solution.


Although I have no keystore.jks file, I do have the certificate information from an old sylink.xml file. How would I import this certificate information from the sylink.xml file into SEPM? Any attempt I make to import a certificate, results in the wizard prompting for some sort of file like the keystore.jks.

I do have all the other bits of information to recover the SEPM. Only the importing of the certificate info is preventing me from moving forward.

Thanks, Steve.

Comments 12 CommentsJump to latest comment

SebastianZ's picture

Do you have SEPM 12.1 or 11.x? - have a look here:

Symantec Endpoint Protection 12.1: Best Practices for Disaster Recovery with the Symantec Endpoint Protection Manager

Symantec Endpoint Protection 11.x: Best Practices for Disaster Recovery with the Symantec Endpoint Protection Manager

As per notes from the KB:


The keystore contains the private-public key pair and the self-signed certificate.

During the installation, these files were backed up to the directory that is named \\Program Files\Symantec\Symantec Endpoint Protection Manager\Server Private Key Backup.

You can also back up these files from the Admin panel in the Symantec Endpoint Protection Manager Console.


Are you able to recover that file from the backup you have?

Steve23's picture

Hi Sebastian,

Thanks for the reply.

No, it was a pretty bad hardware failure and we lost everything. Now we have 3000+ clients attempting to connect to the parent, and the only issue I can see is that they're using an old certificate that the new server install is NOT using.

I have the Domain ID and the encryption password, just no keystore.jks file. However, I do have the old certificate details in an old sylink.xml file. Just need to figure out how to import the details onto the server.

Unfortunately not all 3000+ clients are on a domain, so using the sylink drop tool to drop the new sylink.xml file is not an option.

There must be some way to import these certificate details without a file.

Thanks again, Steve.

SebastianZ's picture

Are you already on SEPM 12.1 RU2?- this one offers a more automated way to replace the communications settings on clients:

Other possibility prior to RU2:

I have checked regarding any way to work this around without having the backup of keystore.jks - but I am affraid could not find here any other way;/

Steve23's picture

What does the keystore.jks file contain? Is it just the Encryption Password?

If yes, then I could use a newly exported keystore.jks file along with a text file containing the old certificate information. Does that make sense?

SebastianZ's picture

The  keystore.jks contains the private-public key pair and the self-signed certificate. But the main issue is the content of the keystore.jks  is encrypted and protected by a password which can be found by searching for "keystorepass" in "C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\conf\server.xml".  I understand you have the password - but without the file itself I am afraid is not much of use.

If restoring the communications settings on clients to point them to new SEPM is not an option - I would advice to contact the Customer suppport in symantec - maybe they will come up with some kind of idea but I am really not sure if the certificate details from old sylink.xml will be enough to recreate the .jks file.

Some more information about certificates in SEPM:

About server certificate types
Article:HOWTO55397      |      Created: 2011-06-29      |      Updated: 2011-12-17      |      Article URL

SebastianZ's picture

Sure, let me know if you will go for the recreating of communications settings for the clients and if any other queries arise with it.

Steve23's picture

If I deselect "Enable secure communications..." in the SEPM, the clients still won't maintain a connection. But if I also edit the client's sylink.xml file and change VerifySignatures="1" to VerifySignatures="0", it works and the client stays connected.

So I wonder what the point of having "Enable secure communications..." if deselecting it on the SEPM still doesn't allow clients to connect.

Steve23's picture

I have extracted the contents of the "new" jks file using keytool.exe. Can I now use the extracted info with the old certificate information, to create a new jks file?

SebastianZ's picture

To be honest I haven't used this tool before. Found few more symantec documents - maybe will help you a bit:

Steve23's picture

So I found a backup of the keystore file and I was able to restore communication. Clients are checking in again.

Thanks Sebastian for all of your time.


SebastianZ's picture

That's great to hear Steve. Having backup is always the easiest way to go. Glad I could help. Please do remember to mark any post that you feel was most helpful to you as solution to this thread. Thanks