You can manage the private keys and the corresponding digital certificates for OpenEdge servers that support TLS connections using a keystore, which is located in the OpenEdge-Install-Dir\keys directory. Each TLS server requires at least one keystore entry that contains a single private key and corresponding digital (public-key) certificate, also known as a public/private key pair. With this keystore entry, you can configure any supported OpenEdge server to enable and manage TLS connection from clients. For more information about TLS server support in OpenEdge, see Introduction to Security and Auditing.

If you require only data encryption and do not need to verify the identity of TLS servers (typically, for intranet configurations only), OpenEdge comes installed with a default keystore entry. This default entry contains a common private key and digital certificate pair that you can use without any further management beyond enabling TLS connections on OpenEdge clients and servers. For more information about the default TLS server identity, see Introduction to Security and Auditing.

However, to establish a trusted OpenEdge TLS server identity suitable for use on the Internet or a more secure intranet, you must complete several steps using the functions of the pkiutil and certutil command-line utilities installed with OpenEdge.

Note: Before you run an OpenEdge command-line utility, set the DLC environment variable to the OpenEdge-Install-dir pathname and set the WRKDIR environment variable to your working directory. For an example, see the OpenEdge-install-dir/bin/pkiutil shell script on UNIX or the OpenEdge-install-dir\bin\pkiutil.bat file in Windows.

Running the command-line utility in a Proenv command window properly sets DLC and WRKDIR for you.