RSA provides a certificate generation tool that you can use to generate a single .p12 file that you can use
as both the server and client certificate for the connection. If you want to use different certificates for
the appliance and the Enterprise Manager server, you must get them from another source.

This tool creates and stores two files on the Enterprise Manager server: the .p12 certificate file and a
.pem certificate file. If you want to use the .p12 file, you must also import the .pem file onto the Email
Security appliance as a certificate authority list.

For more information, see the RSA documentation.

Procedure

Step 1

Open a command prompt on the Enterprise Manager server.

Step 2

Change to

C:\Program Files\RSA\Enterprise Manager\etc

Step 3

Run the following command:

"%JAVA_HOME%/bin/java" -cp ./emcerttool.jar

com.rsa.dlp.tem.X509CertGenerator -clientservercasigned -cacn <NAME OF CAPROVIDED DURING

INSTALL> -cakeystore catem-keystore -castorepass <PASSWORD FOR CA PROVIDED DURING

INSTALL> -cn <DEVICE_CN> -storepass <DEVICE STORE PASSWORD> -keystore <NAME OF DEVICE

STORE>

Note

The common name of the certificate must be the hostname of the Email Security appliance.

If Enterprise Manager manages the connected Email Security appliances at the group or cluster
level, each appliance requires a certificate with a Common Name that matches the hostname of
that appliance.

A sample command may look like the following:

"%JAVA_HOME%/bin/java" -cp ./emcerttool.jar

com.rsa.dlp.tem.X509CertGenerator -clientservercasigned -cacn emc-cisco

-cakeystore catem-keystore -castorepass esaem -cn ironport -storepass esaem

-keystore device-store