The OpenEdge keystore maintains private keys and digital certificates for OpenEdge TLS servers in several locations. These include private keys and digital certificates that you have authorized by a CA and imported for use by a TLS server, and private keys and public-key certificate requests that you generate and have pending for authorization by a CA. You must manage this keystore entirely with the pkiutil command-line utility. See Use pkiutil to manage an OpenEdge keystore for additional information.

The keystore resides in the OpenEdge-Install-Dir\keys directory. This directory contains the following files and subdirectories:

  • alias.pem—Files containing a single keystore entry that you have created from an imported CA-authorized digital certificate that contains the public key joined with the private key that you generated along with the original public-key certificate request. Each file is named with the alias that you chose for the original private key and certificate request using the -newreq operation of pkiutil. The initial keystore entry is the default OpenEdge entry default_server.pem, as authorized by the Progress Software Corporation CA. For more information about this default keystore entry, see Introduction to Security and Auditing.
  • policy—A subdirectory containing a pscpki.cnf configuration file. The pkiutil utility uses this file to control the process of generating new TLS server private/public keys and generating digital certificate requests that can be sent to a CA in order to obtain a public-key certificate for the OpenEdge TLS server. Initially, this is the only subdirectory.
  • requests—A subdirectory containing all newly generated private keys and public-key certificate requests in the form of the following two files:
    • alias.pk1—This file holds the PKCS #1-formatted, password-encrypted, private key for the given keystore alias entry.
    • alias.pk10—This file holds the PKCS #10-formatted public-key certificate request that you send to a CA to obtain the TLS server's public-key certificate for the given keystore alias entry.
  • backup—A subdirectory containing any removed keystore entries. The pkiutil utility removes an existing keystore entry when you:
    • Explicitly remove it using the -remove operation of pkiutil.
    • Update an existing keystore entry with a new digital certificate. You will perform this operation when the previous public-key certificate has expired and you have applied to the CA for a renewed public-key certificate.

    In all cases, pkiutil places removed keystore entries in this directory in case you find it necessary to recover and use them again.

    Note: Performing successive -remove or -import operations on the same keystore entry repeatedly overwrites that entry in the backup subdirectory.
CAUTION: If you upgrade or uninstall OpenEdge, Progress recommends that you back up your current version of the OpenEdge keystore directory tree (OpenEdge-Install-Dir\keys) to prevent losing valuable keys and certificates.