To allow OpenEdge client access to a TLS server whose identity you need to verify, you must install the appropriate root digital certificate to authenticate that server. A TLS server can have its identity established from one of two basic sources:

  • One of the trusted public CA root digital certificates distributed by Progress Software Corporation, such as Symantec or Entrust
  • A root digital certificate from an internal CA that you have set up on your own certificate server or from another external or public CA other than one that is distributed by Progress
Note: For a list of the public root CA certificates that are distributed by Progress in this release of OpenEdge, see What's New in OpenEdge 12.

OpenEdge automatically installs, in the OpenEdge root certificate store, the public CA root certificates that are distributed by Progress. However, if you use your own internal-use CA or a public CA other than the ones distributed by Progress, you must install the required root certificates yourself.

OpenEdge provides the following command-line utilities to install and manage root certificates in the OpenEdge certificate store:

  • certutil—Installs, lists, and manages CA/root certificates from any CA as entries in the OpenEdge root certificate store, and manages the certificate store for the client and server. You can also remove certificate store entries using this utility. The utility moves all removed entries to a backup subdirectory of the root certificate store for future recovery and use.
    Note: For .NET and Java Open Clients and Web service clients of OpenEdge application servers, you must use other utilities to manage the root certificate stores for those clients and servers. For more information, see Use the Open Client Toolkit.
  • mkhashfile—Provides simple installation of PEM-encoded root certificates into the OpenEdge root certificate store from any CA, but provides no other management functions for the OpenEdge certificate store. You can use certutil for the additional root certificate management.
    Note: Before you run an OpenEdge command-line utility, set the DLC environment variable to the OpenEdge-install-dir pathname and set the WRKDIR environment variable to your working directory. For an example, see the OpenEdge-install-dir/bin/certutil shell script on UNIX or the OpenEdge-install-dir\bin\certutil.bat file in Windows. Running the command-line utility in a Proenv command window properly sets DLC and WRKDIR for you.