This topic describes how to generate a certificate request file that you can submit to a third party Certificate Authority (CA) to obtain an TLS certificate. It also explains how to import the certificate from the CA to a PAS for OpenEdge instance.
  1. Start PROENV and change the directory to OpenEdge-Install-Dir \keys\requests .
    For example: 
    proenv> cd C:\Progress\OpenEdge\keys\requests
    Note:

    On Windows, your must start PROENV with the Run as administrator option. For example:


    PROENV Admin
  2. Generate a 2048-bit private key ( certificate_name .pk1 ) and a public key ( certificate_name .pk10 ) file.

    For example:

    proenv>pkiutil -keysize 2048 -newreq MyCert
    Note: PKIUTIL can generate key sizes of 512, 1024, or 2048 bits.

    PKIUTIL prompts for a PEM pass phrase (which you must compose) with output similar to the following:

    Loading 'screen' into random state - done Generating a 2048 bit RSA private 
key ..+++ ......................+++ writing new private key to'C:\\dlc/keys/requests/MyCert.pk1' 
Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----

    After you enter and verify the pass phrase, the private key file ( MyCert.pk1 in this example) is generated.

    Important: Make a note of the PEM pass phrase. It will be required when you import the certificate returned from a CA to create a keystore in Step 5.

    PKIUTIL prompts for the specific name of the system (Server DNS name) and other information that will be included in the certificate request. The information is incorporated into a Distinguished Name (DN). If a single period ' . ' is entered, the field will be left blank. For example:

    ----- Country Name (2 letter code) [US]:US State or Province Name (full name) 
[]:Massachusetts Locality Name (eg, city) []:Bedford Organization Name (eg, company) 
[]:ACME1 Organizational Unit Name (eg, section) []: . Server DNS name []:bedford.acme1.com

    A public key file (MyCert.pk10 in this example) is created. The public key file is what you use to request a new digital certificate from the CA.

  3. Submit the public key file (MyCert.pk10 in this example) to a CA in order to get the signed TLS certificate.

    The CA returns the signed TLS certificate and the certificate is usually a file with either a .crt or a .cer extension.

  4. When the TLS certificates are received from the CA, copy them to the OpenEdge-Install-Dir\keys\requests directory.
  5. Generate a Privacy Enhance Mail ( .pem) formatted file from the private TLS certificate (named MyCertPriv.cer in these examples) obtained from a CA.
    A PEM file is an encrypted file that contains key store information. You use the OpenEdge PKIUTIL command-line utility to generate the PEM file. You can find more information about the syntax and usage of PKIUTIL in Manage OpenEdge Keys and Certificates.
    1. In PROENV, change directory to the PAS for OpenEdge instance's /conf directory.
      For example: 
      proenv> cd C:\MyInstance\conf
    2. Use the -import option of PKIUTIL to generate the PEM file from the private TLS certificate.
      For example: 
      proenv> pkiutil -import MyCert OpenEdge-Install-Dir\keys\requests\MyCertPriv.cer
      Note: MyCert is the stem filename of the PEM file that will be generated from MyCertPriv.cer.
    3. When prompted enter the password you used when you created the keystore (i.e. the .pk1 file) in Step 2.
    PKIUTIL creates a file with a .pem extension ( MyCert.pem in this example) in the OpenEdge-Install-Dir\keys\ directory.