pkiutil
- Last Updated: February 11, 2026
- 3 minute read
- OpenEdge
- Version 13.0
- Documentation
pkiutil utility
provides the functions to create and manage keystore entries for OpenEdge TLS servers. It
creates these entries from pairs of private keys and digital certificates that it stores in
the OpenEdge server keystore (located in OpenEdge-Install-Dir\keys). It operates in FIPS mode when FIPS is
enabled at the OpenEdge installation level. | Operating system | Syntax |
|---|---|
|
UNIX
Windows |
|
- -brief
- Provides less information or as specified for the function.
- -verbose
- Provides more information or as specified for the function.
- -format { DER | PEM }
- Specifies the certificate format for the
-importand-displayfunctions. The default input format for a certificate is Privacy Enhanced Mail (PEM). Because some CAs issue public-key certificates in a binary format (DER) you must specify-format DERto import these certificates. - -display cert-file
- Displays the digital certificate file information contained in the
operating system disk file, cert-file. You must
specify cert-file as a fully qualified operating
system file pathname. The
-verboseoption displays complete certificate information, and the-briefoption displays less certificate information for each keystore entry. - -import alias cert-file
- Imports a CA-issued TLS server digital (public-key) certificate from
the disk file, cert-file, pairs it with the
-newreq-generated private key identified by the specified alias name (alias), and places the pair in the keystore as a new entry identified byalias. The function prompts for the same password used to generate the public-key certificate request for this entry. - -list [alias...]
- Displays a list of keystore entries identified by each alias name
(
alias). You can specify multiple aliases, but you cannot use wild cards. If you specify no alias,pkiutildisplays all entries in the keystore. The-verboseoption displays complete certificate information, and the-briefoption displays less certificate information per keystore entry. - [ -keysize size] -newreq alias
- Generates a new private/public-key pair and a corresponding
public-key certificate request (suitable for submission to a CA), stored under the alias
name specified by
alias, and placed in the OpenEdge-Install-Dir\keys\requests directory.You must specify analiasname between 5 and 39 characters long and use only the following characters:-
"0"to"9" -
"a"to"z" -
"A"to"Z" -
"_"and"-"
Note: The character "-" cannot be used as the first character.The function prompts for a password with a minimum of four characters using any printable ASCII character. You must use this same password later to create and allow access to the keystore entry generated from this certificate request.
When
pkiutilgenerates the keys and certificate request for this function, by default it generates keys using the RSA asymmetric encryption algorithm with a 1024-bit key size. If you require a different key size, you can specify the number of bits to generate using the-keysizeoption (valid key sizes must be 512, 1024, or 2048 bits). -
- -print alias
- Displays the public-key certificate request identified by
alias. - -remove alias...
-
Removes the specified entries from the keystore by their
aliasand moves them to thebackupsubdirectory of the keystore. Any entry that has the samealiasis overwritten. You cannot use wild cards. - -exportp12
- Generates the PKCS12 keystore file for PAS for OpenEdge instances using the .pem server or public keys, both of which are also used by other OpenEdge server products.
- -alias alias-name
- Specifies the name of the PKCS12 keystore file.
- -p12file p12file-path
- Specifies the path of the location in which the PKCS12 keystore file is saved after it is generated.