There are several steps required to establish a trusted identity for any OpenEdge SSL server using the pkiutil command-line utility.
Caution: While the default_server key store entry provided by the Progress Server Certificate Authority also uses a default password ("password"), you must password-protect any private key store entries that you create from a public-key certificate issued by a trusted external CA. The secrecy of your password is critical to using this key store entry for authenticating a server.
To establish and maintain a trusted SSL server identity using the pkiutil utility:
1. Use the -newreq operation to generate a proposed public and private-key pair together with a digital certificate request that is suitable for sending to any CA for authorization. You must provide a password to secure this certificate request. You must later provide this password to any OpenEdge server which you want to access this key store entry for securing SSL connections to it. See Supplying a key store entry password to an OpenEdge server.
2. Use e-mail (or some other method required by the CA) to send a copy of the certificate request to the trusted CA you want to return a public-key certificate. This process authenticates any server providing access to the private key.
3. Use the -import operation to import the digital certificate returned by the CA for this request and store it together with the associated private key as an entry in the key store.
4. Use the -display or -list operations to review an individual digital certificate file or any and all key store entries for important digital certificate information, such as expiration dates.
5. Use the -remove operation to remove any unused or expired key store entries that you specify and retain them in a backup area of the key store.