Importing a new SHA2+ certificate into Domino keyring based on existing CSR
Tags: sha2 keyring kyr openssl certificates domino import howto
When you renew an existing server certificate using the existing CSR for example to upgrade from the weak SHA1 cypher, the following commands will allow you to import the new server certificate into the existing Domino keyring file.
Requirements:
IBM Domino server running 9.0.1FP3+
IBM Notes clinet running 9.0.1FP3+
The 'new' keyring tool from www.ibm.com/support/fixcentral (901FP3IF_Keytool.zip)
The new certificate file from your certificate vendor and certificates for all signers in the certificate chain
Access to the keyring files (both .kyr and .sth)
When you renew an existing server certificate using the existing CSR for example to upgrade from the weak SHA1 cypher, the following commands will allow you to import the new server certificate into the existing Domino keyring file.
Requirements:
IBM Domino server running 9.0.1FP3+
IBM Notes clinet running 9.0.1FP3+
The 'new' keyring tool from www.ibm.com/support/fixcentral (901FP3IF_Keytool.zip)
The new certificate file from your certificate vendor and certificates for all signers in the certificate chain
Access to the keyring files (both .kyr and .sth)
To import the new certificate into the
keyring use the following command:
kyrtool import certs -k c:\domino\data\keyfile.kyr -i c:\temp\myserver.cer
For some reason the keyring tool does not always like relative paths so I use full paths for all files.
After importing the certificate you need to import the signer certificates:
kyrtool import roots -k c:\domino\data\keyfile.kyr -i c:\temp\thawteca-g2.cer
You can check the keyring using the following commands:
kyrtool show keys -k c:\domino\data\keyfile.kyr
This shows the private key
kyrtool show certs -k c:\domino\data\keyfile.kyr
This shows all certificates in the keyring.
kyrtool import certs -k c:\domino\data\keyfile.kyr -i c:\temp\myserver.cer
For some reason the keyring tool does not always like relative paths so I use full paths for all files.
After importing the certificate you need to import the signer certificates:
kyrtool import roots -k c:\domino\data\keyfile.kyr -i c:\temp\thawteca-g2.cer
You can check the keyring using the following commands:
kyrtool show keys -k c:\domino\data\keyfile.kyr
This shows the private key
kyrtool show certs -k c:\domino\data\keyfile.kyr
This shows all certificates in the keyring.
