OpenEdge supports two basic options to establish an TLS server identity:

  • Using the default TLS server identity—A common built-in TLS server identity installed with OpenEdge
  • Managing your own TLS server identity—A unique server identity authenticated by a public or private Certification Authority (CA)

For each keystore entry on an TLS server, you provide a unique, password-protected alias name in the OpenEdge keystore; and for each corresponding root certificate store entry on an TLS client, the TLS management software generates a unique alias name (not password protected) in the OpenEdge certificate store.

A given server identity has a specified lifetime when it is valid. You therefore must update the keystore entry for that identity with a new server public-key certificate that is authenticated by a trusted CA when the current certificate expires. At this time, you must also verify that the TLS clients root certificate store still contains a valid root digital certificate for the newly issued TLS server digital certificate and update it if necessary.

The sections that follow describe these options.