The most widely accepted digital certificate is the X.509 public-key certificate, and it is issued by CAs in two major forms:

  • A server digital certificate issued to the holder of a private key that authorizes the identity established by the private key for the holder.
  • A root CA digital certificate issued to clients and servers of a server that they use to authenticate the identity of the server when communications between the client and server begin. This authentication occurs by validating the root CA digital certificate against the server digital certificate.
  • A trusted CA/root digital (public-key) certificate can be managed for OpenEdge clients and servers that support TLS connections using a root certificate store located in the OpenEdge-Install-Dir\certs directory.
  • Each OpenEdge TLS client and server requires the root certificate store entry that contains the public-key certificate from the CA who signed and issued the public-key certificate for the TLS client and server that the client needs to access.
Note: A CA digital certificate is a digital certificate used to assert and validate the identity of the CA to anyone who is validating a digital certificate that this CA has issued (such as a server digital certificate). A root CA digital certificate is a CA certificate that is at the top of the validation chain in the hierarchy of CAs. So, if the validation process does not trust the root certificate, there is no higher authentication authority to go to and the validation operation must fail.

Digital certificates have a number of properties, and one of the most important for a PKI is its specified lifetime, the time in which the digital certificate is valid. When a digital certificates lifetime has expired, it can no longer be used to assert or authenticate a servers identity. For more information on managing digital certificates and certificate stores, see Manage OpenEdge Keys and Certificates.