Manage Progress Application Server (PAS) for OpenEdge

Obtain a certificate from a certificate authority

Save PDF

Obtain a certificate from a certificate authority

Save PDF

Last Updated: January 23, 2026
2 minute read

OpenEdge
Version 12.8
Documentation

Generate a certificate request file that you can submit to a third-party certificate authority (CA) to obtain a TLS certificate, and import the certificate from the CA to a PAS for OpenEdge instance.

Start Proenv and change the directory to OpenEdge-Install-Dir\keys\requests.
proenv> cd C:\Progress\OpenEdge\keys\requests
Note:
On Windows, your must start Proenv with the Run as administrator option.

`proenv> cd C:\Progress\OpenEdge\keys\requests`

Generate a 2048-bit private key (certificate_name.pk1) and a public key (certificate_name.pk10) file.


`proenv>pkiutil -keysize 2048 -newreq MyCert`

Note: PKIUTIL can generate key sizes of 512, 1024, or 2048 bits.

PKIUTIL prompts for a PEM pass phrase (which you must compose) with output similar to the following:

`Loading 'screen' into random state - done Generating a 2048 bit RSA private key ..+++ ......................+++ writing new private key to'C:\\dlc/keys/requests/MyCert.pk1' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----`

Loading 'screen' into random state - done 
Generating a 2048 bit RSA private key
..+++
......................+++ 
writing new private key to'C:\\dlc/keys/requests/MyCert.pk1'
Enter PEM pass phrase: 
Verifying - Enter PEM pass phrase:
----

After you enter and verify the pass phrase, the private key file (MyCert.pk1 in this example) is generated.

Important: Make a note of the PEM pass phrase. It will be required when you import the certificate returned from a CA to create a keystore in Step 5.

PKIUTIL prompts for the specific name of the system (server DNS name) and other information that is included in the certificate request. The information is incorporated into a distinguished name (DN). If a single period ('.') is entered, the field is left blank.

`----- Country Name (2 letter code) [US]:US State or Province Name (full name) []:Massachusetts Locality Name (eg, city) []:Bedford Organization Name (eg, company) []:ACME1 Organizational Unit Name (eg, section) []: . Server DNS name []:bedford.acme1.com`

-----            
Country Name (2 letter code) [US]:US            
State or Province Name (full name) []:Massachusetts            
Locality Name (eg, city) []:Bedford            
Organization Name (eg, company) []:ACME1            
Organizational Unit Name (eg, section) []: .             
Server DNS name []:bedford.acme1.com

A public key file (MyCert.pk10 in this example) is created. The public key file is what you use to request a new digital certificate from the CA.

Submit the public key file (MyCert.pk10 in this example) to a CA in order to get the signed TLS certificate.

The CA returns the signed TLS certificate and the certificate is usually a file with either a .crt or a .cer extension.
When the TLS certificates are received from the CA, copy them to the OpenEdge-Install-Dir\keys\requests directory.
Generate a Privacy-Enhanced Mail (.pem) formatted file from the private TLS certificate (MyCertPriv.cer in these examples) obtained from a CA.
A PEM file is an encrypted file that contains keystore information. You use the OpenEdge PKIUTIL command-line utility to generate the PEM file.
For more information about syntax and usage, see PKIUTIL.
1. In Proenv, change directory to the PAS for OpenEdge instance /conf directory:
  proenv> cd C:\MyInstance\conf
2. Use the -import option of PKIUTIL to generate the PEM file from the private TLS certificate:
  proenv> pkiutil -import MyCert OpenEdge-Install-Dir\keys\requests\MyCertPriv.cer
  Note: MyCert is the stem filename of the PEM file that is generated from MyCertPriv.cer.
3. When prompted, enter the password you used when you created the keystore (i.e. the .pk1 file) in Step 2.
PKIUTIL creates a file with a .pem extension ( MyCert.pem in this example) in the OpenEdge-Install-Dir\keys\ directory.