Try OpenEdge Now
skip to main content
Installation and Configuration
Command and Utility Reference : Installing and managing keys and digital certificates : pkiutil


Provides the functions to create and manage key store entries for OpenEdge SSL servers. It creates these entries from pairs of private keys and digital certificates that it stores in the OpenEdge server key store (located in OpenEdge-Install-Dir\keys).
Note: You must submit a public-key certificate request that is generated for each new key store entry that you want to create a Certification Authority (CA) with this utility. The CA then returns the necessary server (public-key) certificate for you to import and completes creation of the new key store entry.
Operating system
pkiutil [ -brief | -verbose ]
  {   [ -format { DER | PEM }] -display cert-file
    |[ -format { DER | PEM }] -import alias cert-file
    | -list [alias...]    |[ -keysize size] -newreq alias
    | -print alias
    | -remove alias...
 |-exportp12 -alias alias-name -p12file p12file-path 
Provides less information or as specified for the function.
Provides more information or as specified for the function.
-format { DER | PEM }
Specifies the certificate format for the -import and -display functions. The default input format for a certificate is Privacy Enhanced Mail (PEM). Because some CAs issue public-key certificates in a binary format (DER) you must specify -format DER to import these certificates.
-display cert-file
Displays the digital certificate file information contained in the operating system disk file, cert-file. You must specify cert-file as a fully qualified operating system file pathname. The -verbose option displays complete certificate information, and the -brief option displays less certificate information for each key store entry.
-import alias cert-file
Imports a CA-issued SSL server digital (public-key) certificate from the disk file, cert-file, pairs it with the -newreq-generated private key identified by the specified alias name (alias), and places the pair in the key store as a new entry identified by alias. The function prompts for the same password used to generate the public-key certificate request for this entry.
-list [alias...]
Displays a list of key store entries identified by each alias name (alias). You can specify multiple aliases, but you cannot use wild cards. If you specify no alias, pkiutil displays all entries in the key store. The -verbose option displays complete certificate information, and the -brief option displays less certificate information per key store entry.
[ -keysize size] -newreq alias
Generates a new private/public-key pair and a corresponding public-key certificate request (suitable for submission to a CA), stored under the alias name specified by alias, and placed in the OpenEdge-Install-Dir\keys\requests directory.
You must specify an alias name between 5 and 39 characters long and use only the following characters:
*"0" to "9"
*"a" to "z"
*"A" to "Z"
*"_" and "-"
Note: The character "-" cannot be used as the first character.
The function prompts for a password with a minimum of four characters using any printable ASCII character. You must use this same password later to create and allow access to the key store entry generated from this certificate request.
When pkiutil generates the keys and certificate request for this function, by default it generates keys using the RSA asymmetric encryption algorithm with a 1024-bit key size. If you require a different key size, you can specify the number of bits to generate using the -keysize option (valid key sizes must be 512, 1024, or 2048 bits).
-print alias
Displays the public-key certificate request identified by alias.
-remove alias...
Removes the specified entries from the key store by their alias and moves them to the backup subdirectory of the key store. Any entry that has the same alias is overwritten. You cannot use wild cards.
Generates the PKCS12 keystore file for PAS for OpenEdge instances using the .pem server or public keys, both of which are also used by other OpenEdge server products.
-alias alias-name
Specifies the name of the PKCS12 keystore file.
-p12file p12file-path
Specifies the path of the location in which the PKCS12 keystore file is saved after it is generated.