Obtaining and importing an external certificate from a third party Certificate Authority (CA) requires the use of OpenEdge utilities:
- PKIUTIL - to generate private and public keys, then import the certificate into the keystore for servers
- CERTUTIL - to import the new certificates for clients
1. Generate private and public keys using
PKIUTIL
This step creates two files:
- A private key (.pk1)
- The public key (.pk10) to be submitted to the CA.
Example: Create a 512-bit, 1024-bit or 2048-bit private key, the default keysize is 1024-bit.
proenv>pkiutil -keysize 2048 -newreq X
Output similar to the following is displayed: Take a note of the pass phrase as it is required in the next steps.
Loading 'screen' into random state - done
Generating a 2048 bit RSA private key
..+++
......................+++
writing new private key to 'C:\dlc\keys\requests\X.pk1'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
PKUTIL will then prompt for specific information to be incorporated in the certificate request.
- The first piece of information is called a Distinguished Name or a DN.
- Some fields can be left blank, or use the default value.
- If a single period '.' is entered on these fields the field will be left blank:
Country Name (2 letter code) [US]:US
State or Province Name (full name) []:Massachusetts
Locality Name (eg, city) []:Bedford
Organization Name (eg, company) []:Progress Software
Organizational Unit Name (eg, section) []:Technical Support
Server DNS name []:bedford.progress.com
Two files are created, the private key with the .pk1 extension and the file with a .pk10 extension is the public key
Since OpenEdge 11.6.2, 11.7.0 support for a private key in PKCS#8 format is provided:
2. Submit the public key to the Certificate Authority (CA) when requesting the certificate (.cer or .crt).
In this example, the file used to request a new digital certificate from the (CA):
'C:\dlc\keys\requests\keys\requests\X.pk10
3. Use
PKIUTIL to import the certificate into the keystore when the new certificate is received from your Certificate Authority (CA)
proenv>pkiutil -import X %DLC%\keys\requests\X.cer
Output similar to the following will be displayed:
Importing private key alias X:
Importing certificate file 'C:\dlc\keys\requests\X.cer
One file will be imported to
DLC\keys, a
Privacy Enhanced Mail with a
.pem extension. The PEM file is a Base64 encoded (typically DER formatted) certificate. PEM certificates can easily be translated into readable data using a simple text editor. Opening this PEM encoded file in a text editor will show it's distinct distinct headers and footers.
Verify Server Certificates with :
proenv>pkiutil -display DLC\keys\X.pem
4. Use CERTUTIL to Import the root CA certificate and any intermediate certificate(s) from the CA into the client's root store ():
- The user account needs read/write permissions on dlc\certs and dlc\certs\backup
- When the certificate is provided in the DER format, use the "-format DER" parameter is needed, otherwise import will fail with error: "does not contain a Digital Certificate"
proenv>certutil [ -format DER ] -import %DLC%\keys\requests\rootCA.cer
proenv>certutil [ -format DER ] -import %DLC%\keys\requests\X.cer
This will create hash formatted files with the extension
.0 for each certificate imported to the
DLC\certs directory.
Verify Client Certificates with :
proenv>certutil -verbose -list X
Copy each of these hash .0 files to the <OpenEdge installation>\certs directory for each of the OE clients to be deployed.
Alternatively import the certificates on the client directly as outlined above, if OpenEdge is installed a these tools are available (certutil, pkiutil, and procertm)
5. Users of Classic AIA, WSA, or Java apps hosted remotely may need to import the Root CA into the Java Keystore for Tomcat or the external Java application with the Java utility keytool:
<Java install directory>\bin\keytool -v -import -alias <aliasname> -file X.cer -keystore <java keystore file>
6. The AdminServer will need to trust the root CA if client connections to AppServer Brokers, WebSpeed Brokers are needed.
The tool to add certs for the AdminServer is procertm.
procertm -i <certificate>[.crt | .pem] <DLC>\certs\psccerts.jar
Certificates loaded into psccerts.jar can be validated with:
procertm -l -v %DLC%\certs\psccerts.jar
7. (finally) review and update Servers Configuration under the specific ssl enabled Broker:
ubroker.properties / conmgr.properties
noHostVerify=1 # if -nohostverify is used in the CONNECT statement with -ssl
sslEnable=true
sslkeyAlias=<alias name>
sslkeyAliasPasswd=20333c34252a2137 # use $DLC/bin/genpassword -password <actual password> to generate encrypted password to copy for this property
If the database is started un-managed, review and update scripts:
proserve <db name> -S <port#> -ssl -keyalias X -keyaliaspasswd 20333c34252a2137
For PASOE environments refer to Article:
