There are several steps required to establish a trusted identity for any OpenEdge TLS server using the pkiutil command-line utility.

CAUTION:

While the default_server keystore entry provided by the Progress Server Certificate Authority also uses a default password ("password"), you must password-protect any private keystore entries that you create from a public-key certificate issued by a trusted external CA. The secrecy of your password is critical to using this keystore entry for authenticating a server.

To establish and maintain a trusted TLS server identity using the pkiutil utility:

  1. Use the -newreq operation to generate a proposed public/private key pair together with a digital certificate request that is suitable for sending to any CA for authorization. You must provide a password to secure this certificate request. You must later provide this password to any OpenEdge server which you want to access this keystore entry for securing TLS connections to it. See Supply a keystore entry password to an OpenEdge server.
  2. Use e-mail (or any method required by the CA) to submit the certificate request to the trusted CA, who returns a digital certificate that is signed by the CA. This process authenticates any server providing access to the private key.
  3. Use the -import operation to import the CA-signed digital certificate and store it together with the associated private key as an entry in the keystore.
  4. Use the -display or -list operations to review an individual digital certificate file or any keystore entries for important digital certificate information, such as expiration dates.
  5. Use the -remove operation to remove any unused or expired keystore entries that you specify and retain them in a backup area of the keystore.
    Note: For an overview of the pkiutil command-line utility, see Use pkiutil to manage an OpenEdge keystore.