« Importing a new SHA2+ certificate into Domino keyring based on existing CSR | Main| IBM Domino 9.0.1 Fix Pack installler quits without error on Ubuntu Server 16.04 »

How to create a Domino keyring for a SHA2+ certificates

Tags: keyring kyrtool x509 ssl certificate openssl domino sha2
When creating the CSR directly through the SSL Vendor's website you need to combine the key and certificate into the Domino keyring file, and when the private key is not in RSA format it needs to be converted.

This post is based on my experience with a certificate created through TransIP's website.

After creating the request I received a .zip file which contained the following:

Cabundle.crt
Certificate.crt
Certificate.key
Certificate.p7b

To create a new Domino keyring using kyrtool use the following command:

Kyrtool create –k c:\cert\keyfile.kyr -p password

Unfortunately the certificate.key file provided by TransIP is not in RSA format which is not supported by kyrtool.
In this case the format was easily determined by looking at the first line of the file, instead of starting with ------BEGIN RSA PRIVATE KEY----- the file started with  ------BEGIN ENCRYPTED PRIVATE KEY------
Using openssl I've combined the certificate & private key into a pkcs12 certificate and then exported the private key in RSA forrmat
I imagine it can be done in one go and I'd love to hear from you if you know how

openssl pkcs12 -export -inkey certificate.key -in certificate.crt -name label-for-cert -out certificate.p12
openssl pkcs12 -in certificate.p12 -nocerts -nodes -passin pass:password | openssl rsa -out privatekey.pem

Next combine the private key, certificate and signer certificates into the keyring.
Either by importing them one by one, or by combining them together into one file before importing

One by one:
kyrtool import keys -i c:\cert\privatekey.pem -k c:\cert\keyfile.kyr
kyrtool import certs -i c:\cert\certificate.crt -k c:\cert\keyfile.kyr
kyrtool import roots -i c:\cert\cabundle.crt -k c:\cert\keyfile.kyr

After combining the files:
copy privatekey.pem+certificate.crt+cabundle.crt all.pem

kyrtool import all -i c:\cert\all.pem -k c:\cert\keyfile.kyr

To verify the keyring:
kyrtool show keys -k c:\cert\keyfile.kyr
kyrtool show certs -k c:\cert\keyfile.kyr