Release 10.1A: OpenEdge Getting Started:
Installation and Configuration

Understanding key store content

The OpenEdge key store maintains private keys and digital certificates for OpenEdge SSL servers in several locations. These include private keys and digital certificates that you have authorized by a CA and imported for use by an SSL server, and private keys and public-key certificate requests that you generate and have pending for authorization by a CA. You must manage this key store entirely with the pkiutil command-line utility. See the "Using pkiutil to manage an OpenEdge key store" section for additional information.

The key store resides in the OpenEdge-Install-Dir\keys directory. This directory contains the following files and subdirectories:

alias.pem — Files containing a single key store entry that you have created from an imported CA-authorized digital certificate that contains the public key joined with the private key that you generated along with the original public-key certificate request. Each file is named with the alias that you chose for the original private key and certificate request using the -newreq operation of pkiutil. The initial key store entry is the default OpenEdge entry, default_server.pem, as authorized by the Progress Software Corporation CA. For more information on this default key store entry, see the sections on SSL in OpenEdge Getting Started: Core Business Services .
policy — A subdirectory containing a pscpki.cnf configuration file. The pkiutil utility uses this file to control the process of generating new SSL server private/public keys and generating digial certificate requests that can be sent to a CA in order to obtain a public-key certificate for the OpenEdge SSL server. Initially, this is the only subdirectory.
requests — A subdirectory containing all newly generated private keys and public-key certificate requests in the form of two files, as follows:
alias.pk1 — This file holds the PKCS #1-formatted, password-encrypted, private key for the given key store alias entry.
alias.pk10 — This file holds the PKCS #10-formatted public-key certificate request that you send to a CA to obtain the SSL server’s public-key certificate for the given key store alias entry.
backup — A subdirectory containing any removed key store entries. The pkiutil utility removes an existing key store entry when you:
Explicitly remove it using the -remove operation of pkiutil.
Update an existing key store entry with a new digital certificate. You will perform this operation when the previous public-key certificate has expired and you have applied to the CA for a renewed public-key certificate.

In all cases, pkiutil places removed key store entries in this directory in case you find it necessary to recover and use them again.

Note: Performing successive -remove or -import operations on the same key store entry repeatedly overwrites that entry in the backup subdirectory.

Caution: If you upgrade or uninstall OpenEdge, Progress Software Corporation recommends that you back up your current version of the OpenEdge key store directory tree (OpenEdge-Install-Dir\keys) to prevent losing valuable keys and certificates.