Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

Short Description Creating a Domino Keyring File with the new Keyring Tool and a Windows CA using Binary Formats

Daniel Nashed  2 December 2014 09:52:36
Now that more and more customers are using the new keyring tool we run into interesting constellations.
Microsoft uses binary formats instead of the ascii based PEM format that the keyring tool requires.

Openssl does not only help you to create the key and the certficates. You can also use it to convert the certificate formats.

I have written a short step by step short documentation for my customer including some troubleshooting steps and tricks.

To keep it short I have left out the results from the commands. But you find this information in the official IBM documentation (

-- Daniel

Short Description Creating a Domino Keyring File with the new Keyring Tool and a Windows CA using Binary Formats

First of all you have to find a machine with openssl installed. The most easy way would be to log into any type of Linux machine with a current openssl version installed.
But there are also Windows implementations.

Create Private/Public Key

In the first step you create a private public key using the standard openssl command-line.

openssl genrsa -out server.key 4096

Create Certificate Request

In the next step you create a certificate request and have it processed by your CA.

The command-line will prompt you for country, organisation name etc and the name of your server.

That would be the DNS name of the server for example "" or in case you want to generate a wildcard certficate "*"

openssl req -new -sha256 -key server.key -out server.csr

Convert Binary Certificate Files to PEM Format

The Domino kyrtool requires the text based PEM format but the Microsoft CA does generate binary files.

The following commands can be used to convert the formats.

First of all you convert the server certificate to from binary DER format to text based PEM format:

openssl x509 -inform der -in server.cer -outform pem -out server.pem

In the next step you convert the certificate chain from p7b binary format to PEM format as well

openssl pkcs7 -print_certs -inform der -in certificate_chain.p7b -outform pem -out chain.pem

Combine Key, Cert and Chain to a single file

The most easy way to import all certificates you combine all parts into a single PEM formatted file.

The order in the file must match leave to root order. In most cases you just copy all party into a single file.

copy server.key+server.pem+chain.pem all.pem

Now you have all parts in a single file in the right order.

Note: In some cases the server certificate is already in the chain file. In that case you have to ensure that the certificate is only listed once

Create Keyring File

Download and install the new kyrtool -- just copy it into the Notes program directory.

Afterward just create a new keying file and set a password.

Note: Password only has to be entered the first time you access the keyring afterwards it is automatically read from the sth file.

c:\Notes\kyrtool.exe create -k c:\cert\mykeyring.kyr -p SecurePassword

Import Key, Cert and Chain

In the next step you just import all parts we added to the single file into your keyring.

c:\Notes\kyrtool.exe import all -k c:\cert\mykeyring.kyr -i c:\cert\all.pem

Troubleshooting / Verification

There are two interesting options that might be helpful.

First of all before you import the certificates you can verify the file is complete and all certificates in the chain are present and matching.

C:\Notes\kyrtool.exe verify c:\cert\all.pem

The result be as follows:

- A private key should be present

- The should be no missing certs in the chain or mismatches

- The last certificate in the chain is self-singed (root certificate)

Another way to show the certs and dump them might be useful as well.

This command line shows you all the certs with detailed information about each part.

C:\Notes\kyrtool.exe show certs -i c:\cert\all.pem

Verify existing keyring files

If you want to verify an exiting keyfile you can combine "show certs" output into a file with a "verify" command on that output file.

The only error you should have with that verify is that the private key is missing.
That helps to verify that a keyring file has a complete chain.


1ISMAIL KHAN   08.12.2014 8:53:33  Short Description Creating a Domino Keyring File with the new Keyring Tool and a Windows CA using Binary Formats

Hello Daniel,

I have just confused creating and kyr file for SHA-2 support.

For traveler existing SSL is getting expired soon. We already running latest version of domino 9.0.1 FP2 IF1 and also ibm notes traveler 7.

From 8.5.x administration client tried creating new CSR and provided to vendor for providing the signed CSR. While merging i am getting error "Certificate signature does not match contents" so its clear from 8.5.x we will be getting this error. If i try to access the same from Notes 9.0.1 FP2 IF1 can i go with the normal cersrv.nsf database process or else i have to use the kyrtool.exe which has to be placed in note program directory.

Thanks & Regards

Ismail khan

2ISMAIL KHAN   08.12.2014 9:33:42  Short Description Creating a Domino Keyring File with the new Keyring Tool and a Windows CA using Binary Formats

Hello Daniel,

I got it from the below link

{ Link }

How to implement SHA-2 for DominoStep 1: Download and install Notes 9.0.1 Fix Pack 2 Interim Fix 2 on a Domino Administrator client. This allows an administrator to use the KYRTool and work with the Cert Req database to generate SHA-2 certificates.

Note: Without this patch you will receive "Certificate signature does not match contents" error during step 17, "Merge Trusted Roots"

Step 2: Download and install the KYRTool on the same Domino Administrator client referenced in step 1 by placing the W32 kyrtool.exe in the Notes program directory. Refer to the wiki articles linked below for instructions on installing and running KYRTool

KYRTool is a new tool that replaces iKeyMan. KYRTool is capable of handling SHA-1 and SHA-2 certificates.

Step 3: Upgrade your Domino server running the CA process to 9.0.1 Fix Pack 2 Interim Fix 1 or 9.0 Interim Fix 6. These Interim Fixes will allow the CA process on the Domino server to process SHA-2 certificates.

So i have planned to go with Step1

Thanks & Regards

Ismail khan

3venkat shanthi  05.07.2016 14:58:08  Short Description Creating a Domino Keyring File with the new Keyring Tool and a Windows CA using Binary Formats

Good One and very useful. Thanks to the author. It resolved my problem. Here is is related article for more reference, please check it out

{ Link }

  • [IBM Lotus Domino]
  • [Domino on Linux]
  • [Nash!Com]
  • [Daniel Nashed]