Try OpenEdge Now
skip to main content
Administration Guide
Server security : Configuring PAS for OpenEdge for SSL/TLS : Obtaining a certificate from a Certificate Authority
 

Obtaining a certificate from a Certificate Authority

This section describes how to generate a key file that you can submit to a third party Certificate Authority (CA) to obtain an SSL/TLS certificate. It also shows how to import the certificate from the CA to your PAS for OpenEdge instance.
1. Start PROENV and change directory to OpenEdge-Install-Dir\keys\requests.
For example:
proenv> cd C:\Progress\OpenEdge\keys\requests
On Windows, your must start PROENV with the Run as administrator option. For example:
PROENV Admin
2. Generate a 2048-bit private key (certificate_name.pk1) and a public key (certificate_name.pk10) file.
For example:
proenv>pkiutil -keysize 2048 -newreq MyCert
Note: PKIUTIL can generate key sizes of 512, 1024, or 2048 bits.
PKIUTIL prompts for a PEM pass phrase (which you must compose) with output similar to the following:
Loading 'screen' into random state - done
Generating a 2048 bit RSA private key
..+++
......................+++
writing new private key to'C:\Progress\OE\102a\dlc/keys/requests/MyCert.pk1'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
----
After you enter and verify the pass phrase, the private key file (MyCert.pk1 in this example) is generated.
Important: Make a note of the PEM pass phrase. It will be required when you import the certificate returned from a CA to create a keystore in Step 5.
Then, PKIUTIL prompts for the specific name of the system (Server DNS name) and other information that will be included in the certificate request. The information is incorporated into a Distinguished Name (DN). If a single period '.' is entered, the field will be left blank. For example:
-----
Country Name (2 letter code) [US]:US
State or Province Name (full name) []:Massachusetts
Locality Name (eg, city) []:Bedford
Organization Name (eg, company) []:ACME1
Organizational Unit Name (eg, section) []: .
Server DNS name []:bedford.acme1.com
Thereupon, a public key file (MyCert.pk10 in this example) is created. The public key file is what you use to request a new digital certificate from the CA.
3. Submit MyCert.pk10, the public key file, to a CA in order to request an SSL certificate.
The CA returns both a private and a public (or ROOT) SSL certificate. The certificates are files, usually with either a .crt or a .cer extension. In this example, we'll call the files MyCertPriv.cer and MyCertPub.cer
4. When the SSL certificates are received from the CA, copy them to the OpenEdge-Install-Dir\keys\requests directory.
5. Generate a Privacy Enhance Mail (.pem) formatted file from the private SSL certificate (named MyCertPriv.cer in these examples) obtained from a CA.
A PEM file is an encrypted file that contains key store information. You use the OpenEdge PKIUTIL command-line utility to generate the PEM file. You can find more information about the syntax and usage of PKIUTIL in OpenEdge Getting Started: Installation and Configuration.
a. In PROENV, change directory to the PAS for OpenEdge instance's/conf directory.
For example:
proenv> cd C:\MyInstance\conf
b. Use the -import option of PKIUTIL to generate the PEM file from the private SSL certificate.
For example:
proenv> pkiutil -import MySSLPrivKey OpenEdge-Install-Dir\keys\requests\MyCertPriv.cer
MySSLPrivKey is the stem filename of the PEM file that will be generated from MyCertPriv.cer.
c. When prompted enter the password you used when you created the keystore (i.e. the .pk1 file) in Step 2.
PKIUTIL creates a file with a .pem extension ( MySSLPrivKey.pem in this example) in the OpenEdge-Install-Dir\keys\ directory.