Adding a CA Root Certificate to your Client Application

Restriction: This topic applies only when the Enterprise Server feature is enabled.

If you have written a client application that communicates with server applications such as Enterprise Server, the client application needs access to the root certificates of any trusted CAs. The trusted CAs are those who signed the certificates of the servers you are communicating with securely.

A collection of root certificates from public CAs can be found in the file CARootCerts.pem under your product installation. In earlier versions of the product, this file was part of the optional Demo CA component. You can use these certificates by configuring your client program to use that file for its collection of trusted root certificates also referred to as a "trust store", if it supports the PEM file format. Micro Focus client programs such as COBOL web service clients support this format.

If you have other root certificates you need to use, such as those from a corporate CA or from Demo CA used for development or test purposes only, then you can keep them in separate files and configure your clients to use the appropriate file, or you can add them to CARootCerts.pem.

For Micro Focus client programs which use the Micro Focus Common Client library, you specify the file containing the trusted root certificates in the mf-client.dat configuration file.

To add a CA root certificate to the root certificate file:

  1. Convert the new certificate to the same format as the certificates in the file, which in this case is in the PEM format with DER content encoding. Use openssl to do this. For example, to convert a PKCS7 format file, such as IECert.p7b, to PEM format:
    openssl pkcs7 -inform DER -in IECert.p7b -text -print_certs -out IECert.pem
  2. Append the new certificates to the existing file CARootCerts.pem. For example:
    Windows:
    copy CARootCerts.pem+ IECert.pem NewCARootCerts.pem
    UNIX:
    cat CARootCerts.pem IECert.pem > NewCARootCerts.pem
Note: The CARootCerts.pem file will be replaced if the product is reinstalled or updated. If you add certificates to this file, you will need to repeat those additions. Micro Focus recommends you back up any modified CARootCerts.pem file. You might also want to copy the CARootCerts.pem to another location and modify it there, then configure your clients to use that copy.