Skip to main content


Manually verifying hotfix files by using third-party tools

Suggest edit Updated on September 29, 2021

For versions of Pega Platform earlier than 8.5, verify the hotfix files manually by using third-party tools such as OpenSSL.

Before you begin: Do not attempt to perform this procedure if you are not familiar with Linux, Base64, and OpenSSL.

This procedure assumes a Linux operating system.

Ensure that you have the following packages:

  • Base64

  • OpenSSL (

To manually verify hotfix files by using third-party tools, perform the following steps:
  1. Verify that the certificate is authentic and that it belongs to Pega:
    1. Extract the SIGFILE.JSON file from the CATALOG.ZIP file or the DL-<id>.zip file.Result: In the certificates object inside the SIGFILE.JSON file are two values. For the purposes of this procedure, they are called pegasystems and intermediate, in that order.
    2. Use Base64 to decode each value into its own file by entering the following command:
      echo (certificate value) | base64 --decode > (pegasystems/intermediate).der
      You use the pegasystems.der file to verify the hotfix later in this procedure.
    3. Translate each certificate into the .crt format by entering the following command:
      openssl x509 -in (pegasystems/intermediate).der -inform der > (pegasystems/intermediate).crt
    4. View the first certificate as text and verify that the subject of the certificate has the following values: C = US, ST = Massachusetts, L = Cambridge, O = Pegasystems Inc., CN = Pegasystems Inc..
      openssl x509 -in pegasystems.crt -text -noout
    5. Verify the certificate chain. If the response is pegasystems.crt: OK, the verification was successful.
      openssl verify -crl_download -crl_check -untrusted intermediate.crt pegasystems.crt
  2. Use the certificate's public key and the included signatures to verify the integrity of each file.
    1. Extract the public key from the pegasystems certificate.
      openssl x509 -pubkey -noout -in pegasystems.der -inform der >
    2. Copy the value for the signature object for the file that you are verifying and use Base64 to decode this value to a file.
      echo (signature value) | base64 --decode > signature.sig
    3. Extract the file that you want to verify from the CATALOG.ZIP file or the DL-<id>.zip file.
    4. Verify the signature of the extracted file. If the response is Verified OK, the verification was successful.
      openssl dgst -verify -keyform PEM -sha256 -signature signature.sig (file)
Did you find this content helpful? YesNo

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Ready to crush complexity?

Experience the benefits of Pega Community when you log in.

We'd prefer it if you saw us at our best. is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us