How to create a Domino keyring for a SHA2+ certificates

Tags: keyring kyrtool x509 ssl certificate openssl domino sha2
When creating the CSR directly through the SSL Vendor's website you need to combine the key and certificate into the Domino keyring file, and when the private key is not in RSA format it needs to be converted.

This post is based on my experience with a certificate created through TransIP's website.

After creating the request I received a .zip file which contained the following:


To create a new Domino keyring using kyrtool use the following command:

Kyrtool create –k c:\cert\keyfile.kyr -p password

Unfortunately the certificate.key file provided by TransIP is not in RSA format which is not supported by kyrtool.
In this case the format was easily determined by looking at the first line of the file, instead of starting with ------BEGIN RSA PRIVATE KEY----- the file started with  ------BEGIN ENCRYPTED PRIVATE KEY------


Importing a new SHA2+ certificate into Domino keyring based on existing CSR

Tags: sha2 keyring kyr openssl certificates domino import howto
When you renew an existing server certificate using the existing CSR for example to upgrade from the weak SHA1 cypher, the following commands will allow you to import the new server certificate into the existing Domino keyring file.


IBM Domino server running 9.0.1FP3+
IBM Notes clinet running 9.0.1FP3+
The 'new'  keyring tool from www.ibm.com/support/fixcentral (901FP3IF_Keytool.zip)
The new certificate file from your certificate vendor and certificates for all signers in the certificate chain
Access to the keyring files (both .kyr and .sth)


Creating a sha2+ keyring with Domino CA signed certificate

Tags: SHA2 Domino CA keyring ca process kyrtool
Ever wondered how to use the new keyring tool with your Domino based Internet Certificate Authority?

This should work

First we create a new keyring using the 'new'  kyrtool

kyrtool create -k c:\ibm\keyring.kyr -p mypassword

Then we create a private key and csr using openssl

openssl genrsa -out server.key 4096
openssl req -new -sha256 -key server.key -out server.csr

Open the certificate request database of your Domino based internet CA in your browser and select 'Request server certificate'  and paste the contents of server.csr and click submit to request the certificate.

Once the certificate has been signed, pick it up in the browser using the pickup id (you should have received this ID by email)

Select RAW format and copy paste into a file, in  this example server.cer

Next we combine the private key, the signed certificate and CA certificate into a single file.

copy server.key+server.cer+cacert.cer combined.txt

(cacert.cer = base64bit encoded )

Finally we import this combined file into the Domino keyring

kyrtool import all -k c:\ibm\keyring.kyr -i combined.txt