Generating a keyring file with a self-

signed or third-party certificate for Domino

Contents

Generating a keyring file with a self-signed SHA-2 cert using OpenSSL and
kyrtool.................................................................................................................... 3

Generating a keyring file with a third party CA SHA-2 cert using OpenSSL
and KYRTool on a Windows workstation..........................................................6
 | Generating a keyring file with a self-signed SHA-2 cert using OpenSSL and kyrtool | 3

Generating a keyring file with a self-signed SHA-2 cert

using OpenSSL and kyrtool
The following steps are the easiest to understand and to expand upon when moving to an OpenSSL-based CA or a
third party CA. Alternatively,"openssl x509" can be used to create a self-signed certificate in one operation.
1. Generate an RSA key pair.

[~]$ openssl genrsa -out server.key 4096

Generating RSA private key, 4096 bit long modulus
...................................................................++
...................................................................++
e is 65537 (0x10001)

The resulting keypair should not be password protected. This isn't a good security practice, so only perform these
steps for production systems on a restricted access system believed to be secure. The resulting keypair should look
like the following:

[~]$ cat server.key

-----BEGIN RSA PRIVATE KEY-----
MIIJKAIBAAKCAgEAr9uZYZ1BrraxW1AdM1ecexiD2uaPxNKjS2p2p9pygUc/vU2d
rrqjj3tAybdkNEFcwQLY/eIZcEowHmhH0b9Ut5EOsMMxkB4vUHg6gWmse64wr2qx
5EmUfjZ/LDMDqnmFxTDvr2iiajZI/L/8thgwBEK2AEGhCppyvyo/mzvMua9j7I8G
[Many lines removed]
tuEe3JGUnHaWetQYOU6PmTKIgPpd3disflCJe8K1dzN8bEkQF2eZk/oODVHSHRyC
7Rw9zpLxTJmbd3iWW3+ZVHhpudYZrDE8NbaaiGMbfyfQBnSH1XbDHSveTxLOY3fo
+d9lePMThdnmme6b1v8X4sCuDKrFjoV5Veo4Qq8I+099hu3tTRq2zGpNPsg=
-----END RSA PRIVATE KEY-----

2. Generate a Certificate Signing Request (CSR).

This step prompts you for information that should be in your final certificate, bundles that up along with the public
half of the RSA keypair that was just generated, and signs the whole thing with the private half of the keypair.
In this example every option is left blank except for the DNS name of the SSL server. Note the "-sha256", as the
default algorithm for current versions of OpenSSL is SHA-1.

[~]$ openssl req -new -sha256 -key server.key -out server.csr

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:.
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:.
Organization Name (eg, company) [Default Company Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (eg, your name or your server's hostname) []:www.example.com
Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request
A challenge password []:
An optional company name []:

[~]$ cat server.csr

 | Generating a keyring file with a self-signed SHA-2 cert using OpenSSL and kyrtool | 4

-----BEGIN CERTIFICATE REQUEST-----

MIIEbDCCAlQCAQAwJzElMCMGA1UEAwwcdWx0cmF2aW9sZXQuc3dnLnVzbWEuaWJt
LmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK/bmWGdQa62sVtQ
HTNXnHsYg9rmj8TSo0tqdqfacoFHP71Nna66o497QMm3ZDRBXMEC2P3iGXBKMB5o
[Many lines removed]
nbXBaWgJqMk71f2vU1LnNQQresCBJpzNWgjyLaTszUR6eL8JD9WxddMK/82h9QVx
uFO005u3Fa2uC+8axiMKO3sSuVsgXHQpCuSnw2jDCQoeW/C/GSswsdWVyEzHMMjD
KQTH5iQLVPWArBoE1SV/RzG8tvLqH6JxHmSG7cnrgH0=
-----END CERTIFICATE REQUEST-----

3. Create a Self-Signed Certificate.

Note the "-sha256", as the default signing algorithm for current versions of OpenSSL issha1WithRSAEncryption,
not sha256WithRSAEncryption.

[~]$ openssl x509 -req -days 3650 -sha256 -in server.csr -signkey
server.key -out server.pem
Signature ok
subject=/CN=www.example.com
Getting Private key

[dskern@paranoia ssl]$ cat server.pem

-----BEGIN CERTIFICATE-----
MIIEyjCCArICCQCIqzNZtkev6TANBgkqhkiG9w0BAQUFADAnMSUwIwYDVQQDDBx1
bHRyYXZpb2xldC5zd2cudXNtYS5pYm0uY29tMB4XDTE0MTAwODE3NDUzMFoXDTI0
MTAwNTE3NDUzMFowJzElMCMGA1UEAwwcdWx0cmF2aW9sZXQuc3dnLnVzbWEuaWJt
[Many lines removed]
lysEvJF7MuiDfgOyUn2ZfmTpDm62dXalzXnBrGcAiPo5swds+UnN68BCejptUnti
TQ4rb9iXP4Zdz6jNuUOtuhlovyJWtUF27VQSdZLoqAoCM3pNybBVAh4FpapYw4XR
c6xhntH8Y6hyyxp1er8v26M9Kg6dgNZTXo3rKtMW+I4bu+ziMYuY9/oLR8nbEj2l
93Llwb/jwgxJBVZRwhU4M1JxETQBzc19pJ0kcE94
-----END CERTIFICATE-----

4. Create a new keyring file.

At this point in the example, the Administrator switched from the linux box where OpenSSL was run to a
Windows box to use kyrtool.exe.

[C:\] kyrtool =c:\hcl\notes\notes.ini create -k c:\hcl\notes\data

\keyring.kyr -p password

Keyfile c:\hcl\notes\data\keyring.kyr created successfully

2 [C:\HCL\Notes\Data] dir keyring*

Volume in drive C is C_Drive
Volume Serial Number is 306D-00D5

Directory of C:\HCL\Notes\Data

10/08/2014 02:15 PM 29,161 keyring.kyr

10/08/2014 02:15 PM 129 keyring.sth
2 File(s) 29,290 bytes
0 Dir(s) 400,743,673,856 bytes free

5. Import the RSA keypair and self-signed certificate into the new keyring file.
a. Concatenate server.key and server.pem into a single file:
The simplest approach to concatenate two files into a third file will vary based on your operating system, but
you should end up with a single file that appears similar to the following:

1 [C:\HCL\Notes\Data\ssl] cat server.txt

-----BEGIN RSA PRIVATE KEY-----
MIIJKAIBAAKCAgEAr9uZYZ1BrraxW1AdM1ecexiD2uaPxNKjS2p2p9pygUc/vU2d
 | Generating a keyring file with a self-signed SHA-2 cert using OpenSSL and kyrtool | 5

rrqjj3tAybdkNEFcwQLY/eIZcEowHmhH0b9Ut5EOsMMxkB4vUHg6gWmse64wr2qx
[Many lines removed]
7Rw9zpLxTJmbd3iWW3+ZVHhpudYZrDE8NbaaiGMbfyfQBnSH1XbDHSveTxLOY3fo
+d9lePMThdnmme6b1v8X4sCuDKrFjoV5Veo4Qq8I+099hu3tTRq2zGpNPsg=
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIEyjCCArICCQDa3d9OQUIsWzANBgkqhkiG9w0BAQsFADAnMSUwIwYDVQQDDBx1
bHRyYXZpb2xldC5zd2cudXNtYS5pYm0uY29tMB4XDTE0MTAwODE4MzQ0NloXDTI0
[Many lines removed]
qddsfWubEwoMYKevnV8u9EFp7f0RONGqp93iU9O5jYPdrcB+RryT7bwErDTQKjua
ZAcuoKnUrnXiGIiq/dkXg2Umaf9Quewz0ow7BrCW
-----END CERTIFICATE-----
b. Verify the input file:

[C:\] kyrtool =c:\hcl\notes\notes.ini verify c:\hcl\notes\data\ssl

\server.txt

KyrTool v1.0

Successfully read 4096 bit RSA private key

INFO: Successfully read 1 certificates
INFO: Private key matches leaf certificate
INFO: Final certificate in chain is self-signed
c. Import the keypair and self-signed certificate:

[C:\] kyrtool =c:\hcl\notes\notes.ini import all -k c:\hcl\notes\data

\keyring.kyr -i c:\hcl\notes\data\ssl\server.txt

Using keyring path 'c:\hcl\notes\data\keyring.kyr'

Successfully read 4096 bit RSA private key
SECIssUpdateKeyringPrivateKey succeeded
SECIssUpdateKeyringLeafCert succeeded

6. Examine the resulting keyring file.

[C:\] kyrtool =c:\hcl\notes\notes.ini show keys -k c:\hcl\notes\data

\keyring.kyr

Using keyring path 'c:\hcl\notes\data\keyring.kyr'

Key length: 4096 bits

-----BEGIN PUBLIC KEY-----

MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr9uZYZ1BrraxW1AdM1ec
exiD2uaPxNKjS2p2p9pygUc/vU2drrqjj3tAybdkNEFcwQLY/eIZcEowHmhH0b9U
[Many lines removed]
u4cjcmMILbXNul+sXFGx1TcIlZ2/vmwb1XO0GVKFLS5cjYhcRrdbyV5JfVVawQpG
xmWG4e18WWnc0bMt1ovVXQMCAwEAAQ==
-----END PUBLIC KEY-----

Key length: 4096 bits

-----BEGIN RSA PRIVATE KEY-----

MIIJKAIBAAKCAgEAr9uZYZ1BrraxW1AdM1ecexiD2uaPxNKjS2p2p9pygUc/vU2d
rrqjj3tAybdkNEFcwQLY/eIZcEowHmhH0b9Ut5EOsMMxkB4vUHg6gWmse64wr2qx
[Many lines removed]
7Rw9zpLxTJmbd3iWW3+ZVHhpudYZrDE8NbaaiGMbfyfQBnSH1XbDHSveTxLOY3fo
+d9lePMThdnmme6b1v8X4sCuDKrFjoV5Veo4Qq8I+099hu3tTRq2zGpNPsg=
-----END RSA PRIVATE KEY-----
 | Generating a keyring file with a third party CA SHA-2 cert using OpenSSL and KYRTool on a Windows workstation | 6

[C:\] kyrtool =c:\hcl\notes\notes.ini show certs -k c:\hcl\notes\data

\keyring.kyr

Using keyring path 'c:\hcl\notes\data\keyring.kyr'

Server certificate #0

Subject: CN=www.example.com
Issuer: CN=www.example.com
Not Before: 10/08/2014 02:34:46 PM
Not After: 10/05/2024 02:34:46 PM
Key length: 4096 bits
Signature Alg: sha256WithRSAEncryption

-----BEGIN CERTIFICATE-----
MIIEyjCCArICCQDa3d9OQUIsWzANBgkqhkiG9w0BAQsFADAnMSUwIwYDVQQDDBx1
bHRyYXZpb2xldC5zd2cudXNtYS5pYm0uY29tMB4XDTE0MTAwODE4MzQ0NloXDTI0
[Many lines removed]
qddsfWubEwoMYKevnV8u9EFp7f0RONGqp93iU9O5jYPdrcB+RryT7bwErDTQKjua
ZAcuoKnUrnXiGIiq/dkXg2Umaf9Quewz0ow7BrCW
-----END CERTIFICATE-----

7. Copy over your new keyring file and start the Domino server.
Back up your old .kyr and .sth files, shut down the server, copy over your new keyring and stash files, restart the
server, and check out the results!

Generating a keyring file with a third party CA SHA-2 cert

using OpenSSL and KYRTool on a Windows workstation
Generate a SHA-2 certificate using a 3rd party CA with OpenSSL and KYRTool on a Windows workstation. These
steps are nearly identical to generating a keyring file with self-signed cert.
• If you have a command line parameter with spaces in it, such as the path to a file, the space can cause the
command line to be read incorrectly, resulting in errors. This can affect running commands for both OpenSSL and
KYRTool
• To include a space in a parameter, the parameter must be delimited with quotation marks. For example, if Notes
were installed in the Program Files directory, then the command line for creating a keyring might look like this:

kyrtool ="c:\Program Files\HCL\Notes\notes.ini" create -k "c:\Program

Files\HCL\Notes\data\keyring.kyr" -p password

1. KYR Tool
• KRYTool comes installed in the Domino program directory starting with Domino 10. If you use an earlier
version of Domino, you can download it from here.
• Place the KYRTool in the Notes program directory, as it relies on .DLLs installed by Notes.
• If you have the Notes/Domino program directory in your system's PATH environment variable, this can be
installed to any directory.
 | Generating a keyring file with a third party CA SHA-2 cert using OpenSSL and KYRTool on a Windows workstation | 7

2. Open SSL.
• Download links for the Windows versions of OpenSSL are available at https://slproweb.com/products/
Win32OpenSSL.html
• The light version of OpenSSL is sufficient for the tasks required for creating a SHA-2 certificate. v1.0.1j is the
latest recommended release as of December 2014. Either the 32-bit or 64-bit version can be used if you are on
Windows 7.
• OpenSSL may need updates to Windows Visual C++ libraries. If the libraries are not up to date, a prompt
will display during the OpenSSL install noting that updated Visual C++ libraries are needed. Links for
downloading these libraries are also on the download page for OpenSSL.
• A configuration file "openssl.cfg" will be extracted by the installer to the bin directory. In order for OpenSSL
to read this configuration file, you must set an environment variable by running the following command from a
DOS prompt:

SET OPENSSL_CONF=\openssl.cfge.g. SET OPENSSL_CONF=c:\OpenSSL-Win64\bin

\openssl.cfg
• You run OpenSSL from the "openssl.exe" file, which is found in the \bin directory of the OpenSSL install. On
Windows, open this directory in a Command prompt window in administrator mode to run it. (You'll get an
error if you try to run it by double-clicking in File Explorer.)
3. Generate a Certificate Signing Request (CSR) using OpenSSL.
NOTE: If a config file for OpenSSL is not defined by an environment variable, a user may not be able to create
a csr with the "openssl req" command, and will receive the following message when running the command:
Unable to load config info from /usr/local/ssl/openssl.cnf.
See Step 1 above to resolve this.This step prompts you for information that should be in your final certificate,
bundles that up along with the public half of the RSA keypair that was just generated, and signs the whole thing
with the private half of the keypair. In this example, everything was left blank except for the DNS name of theSSL
test server. Note the "-sha256", as the default algorithm for current versions of OpenSSL is SHA-1.

openssl req -new -sha256 -key server.key -out server.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:.
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:.
Organization Name (eg, company) [Default Company Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (eg, your name or your server's hostname) []:www.example.com
Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request
A challenge password []:
An optional company name []:

[C:\] type server.csr

-----BEGIN CERTIFICATE REQUEST-----

MIIEbDCCAlQCAQAwJzElMCMGA1UEAwwcdWx0cmF2aW9sZXQuc3dnLnVzbWEuaWJt
 | Generating a keyring file with a third party CA SHA-2 cert using OpenSSL and KYRTool on a Windows workstation | 8

LmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK/bmWGdQa62sVtQ
HTNXnHsYg9rmj8TSo0tqdqfacoFHP71Nna66o497QMm3ZDRBXMEC2P3iGXBKMB5o
[Many lines removed]
nbXBaWgJqMk71f2vU1LnNQQresCBJpzNWgjyLaTszUR6eL8JD9WxddMK/82h9QVx
uFO005u3Fa2uC+8axiMKO3sSuVsgXHQpCuSnw2jDCQoeW/C/GSswsdWVyEzHMMjD
KQTH5iQLVPWArBoE1SV/RzG8tvLqH6JxHmSG7cnrgH0=
-----END CERTIFICATE REQUEST-----

4. Acquire an SSL/TLS certificate from a third party CA.

This process varies from CA to CA, but you generally copy the certificate request block from above into a
web form and pick what signing algorithm you would like the CA to use. Feel free to select one of the SHA-2
algorithms (SHA-256, SHA-384, and SHA-512) -- the resulting keyring file will work just fine on any 9.0.x
server, even those without the hotfix for TLS and SHA-2.
You will receive a certificate just like the one created in the self-signed steps. This can be displayed by using the
"type" command from a command prompt or by opening the file in Notepad.

[C:\] type server.pem

-----BEGIN CERTIFICATE-----
MIIEyjCCArICCQCIqzNZtkev6TANBgkqhkiG9w0BAQUFADAnMSUwIwYDVQQDDBx1
bHRyYXZpb2xldC5zd2cudXNtYS5pYm0uY29tMB4XDTE0MTAwODE3NDUzMFoXDTI0
MTAwNTE3NDUzMFowJzElMCMGA1UEAwwcdWx0cmF2aW9sZXQuc3dnLnVzbWEuaWJt
[Many lines removed]
lysEvJF7MuiDfgOyUn2ZfmTpDm62dXalzXnBrGcAiPo5swds+UnN68BCejptUnti
TQ4rb9iXP4Zdz6jNuUOtuhlovyJWtUF27VQSdZLoqAoCM3pNybBVAh4FpapYw4XR
c6xhntH8Y6hyyxp1er8v26M9Kg6dgNZTXo3rKtMW+I4bu+ziMYuY9/oLR8nbEj2l
93Llwb/jwgxJBVZRwhU4M1JxETQBzc19pJ0kcE94
-----END CERTIFICATE-----

You may also receive some of the CA's intermediate root certificates. Also note that the file received may be a .crt
instead of .pem. The .crt file will act the same as a .pem when you display it.
5. Create a new keyring file.
At this point in the example, the Administrator switched from the Linux box where OpenSSL was run to a
Windows box to use kyrtool.exe.

[C:\] kyrtool =c:\lotus\notes\notes.ini create -k c:\lotus\notes\data

\keyring.kyr -p password
Keyfile c:\lotus\notes\data\keyring.kyr created successfully

2 [C:\Lotus\Notes\Data] dir keyring*

Volume in drive C is C_Drive
Volume Serial Number is 306D-00D5

Directory of C:\Lotus\Notes\Data

10/08/2014 02:15 PM 29,161 keyring.kyr

10/08/2014 02:15 PM 129 keyring.sth
2 File(s) 29,290 bytes
0 Dir(s) 400,743,673,856 bytes free

6. Import the server's private key, root certificates, and server certificate into the new keyring file.
a. There are two options for this step. You can perform either 6b - Option 1(concatenate server.key and
server.pem into a single file) OR 6c - Option 2(issue a series of four import commands...).
b. Option 1: Concatenate the server's private key (server.key) and the certificates into a single file:.
This step varies from the self-signed case. You will have more than one certificate in your ".pem" file, and will
want to place them in order with your server's SSL "leaf" certificate first and the root certificate last. Verify
 | Generating a keyring file with a third party CA SHA-2 cert using OpenSSL and KYRTool on a Windows workstation | 9

step 6b will check to ensure that the ordering is correct. If it returns any warnings or errors, edit the PEM file
and verify it again.
Note the following:
• Certificate Authorities will frequently return a signed certificate in a .crt file. If they also provide the root
certificates when returning the CSR file, then you can concatenate all of the .crt files to the private key by
using the "type" command from a DOS prompt.
• The files should be concatenated with the server key first, the server's cert next, the intermediate cert next,
and the root cert last. Concatenation can be done from a DOS prompt using the TYPE command. The type
command takes a list of files, and appends them together into an output file designated with a greater-
than symbol. For example, type server.key server.crt intermediate.crt root.crt > server.txt In this example
"server.txt" is the file provided to the kyrtool for import into a Domino keyring. You can display this output
file in Notepad.
• If the root and intermediate certs are not provided with the signed certificate, export the intermediate and
root certificates by opening the server certificate with Windows Crypto Extensions. This will display
the server in a three-tabbed user interface. On the third tab, select each of the signing certificates, select
display, and then export that certificate using the "save to file" command on the second tab. Save each cert
file using Base 64 format.
c. Option 2: Issue the following series of four import commands to merge the root certificate, the
intermediate certificate, and the server key into the keyring file.
IMPORTANT NOTE: If you perform this option, then you would not need to perform steps 6b and 6c. You
could instead proceed straight to Step 7 - "Examine the resulting keyring file."

#1 - Issue the 'import roots' command to import the
root certificate
#2 - Issue the 'import roots' command to import the
intermediate certificate
#3 - Issue the 'import keys' command to import the
server key file
#4 - Issue the 'import certs' command to import the
signed server certificate
d. Verify the Input file. This is an example of a complete and correctly ordered PEM file:
kyrtool import roots -i C:\root.crt
-k "C:\Program Files\hcl\notes\data
\keyring.kyr"
kyrtool import roots -i C:
\intermediate.crt -k "C:\Program
Files\hcl\notes\data\keyring.kyr"
kyrtool import keys -i C:
\server.key -k "C:\Program Files
\hcl\notes\data\keyring.kyr"
kyrtool import certs -i C:
\sitecert.crt -k "C:\Program Files
\hcl\notes\data\keyring.kyr"

[C:\] kyrtool =c:\lotus\notes\notes.ini verify c:\lotus\notes\data\ssl

\server.txt

KyrTool v1.0

Successfully read 2048 bit RSA private key

INFO: Successfully read 4 certificates
INFO: Private key matches leaf certificate
INFO: IssuerName of cert 0 matches the SubjectName of cert 1
INFO: IssuerName of cert 1 matches the SubjectName of cert 2
INFO: IssuerName of cert 2 matches the SubjectName of cert 3
INFO: Final certificate in chain is self-signed

If you receive any ERROR: lines, you should resolve those errors before moving on to step 6e.
e. Import the keypair and self-signed certificate:

[C:\] kyrtool =c:\lotus\notes\notes.ini import all -k c:\lotus\notes

\data\keyring.kyr -i c:\lotus\notes\data\ssl\server.txt
 | Generating a keyring file with a third party CA SHA-2 cert using OpenSSL and KYRTool on a Windows workstation | 10

Using keyring path 'c:\lotus\notes\data\keyring.kyr'

Successfully read 4096 bit RSA private key
SECIssUpdateKeyringPrivateKey succeeded
SECIssUpdateKeyringLeafCert succeeded

7. Examine the resulting keyring file

[C:\] kyrtool =c:\hcl\notes\notes.ini show keys -k c:\hcl\notes\data

\keyring.kyr
[C:\] kyrtool =c:\hcl\notes\notes.ini show certs -k c:\hcl\notes\data
\keyring.kyr

8. Copy over your new keyring file and start the Domino server
Back up your old .kyr and .sth files, shut down the server, copy over your new keyring and stash files, restart the
server, and check out the results!