Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...


Daniel Nashed


Easy kyr file creation with Early Access V12 in production

Daniel Nashed  10 October 2020 21:40:52

The kyr format is a really old propritary IBM format.
Since Domino 9 the only way to create kyr files is to use the command-line kyrtool.

It can only import existing key pairs + certificates.
So the current flow is often to use OpenSSL to create a key pair and a CSR or to import existing key pairs with the matching certificates.

That flow is going to change with Domino V12 completely.
The CertMgr servertask and the cerstore.nsf will completely simplify the operation and remove the need for kyr files.

But it will still allow to generate kyr files for older servers ..
And you can use it today to generate kyr files for your existing servers ;-)

-- Daniel

1Fredrik Norling  12.10.2020 12:54:09  Easy kyr file creation with Early Access V12 in production

So we are going back to the old ways almost of doing this before the kyr files.

The good thing with the openssl and kyr file way was that it was easier to automate with batch files. ;-)

2Daniel Nashed  13.10.2020 17:58:30  Easy kyr file creation with Early Access V12 in production


Not really back to what it was before. The new servertask and database will be completely different!

- It will internally use PEM format all over the place

- Form how it looks like you will have different ways to interface it

- the certstore.nsf is a Domain wide database that deploys certficates for all servers

- The documents are planned to be encrypted for safe storage on rest and there will be fine control who can access them

- Let's Encrypt is fully supported and the resulting keys and certs are in the certstore.nsf

- There are manual operations to interface create key-pairs, CSRs, import certs etc

- There are discussions to support other formats for export/import for example .p12

- There might be interface options to integrate with other CAs

If you are interested in this topic, you should join us in the Early Access Program and Forum to provide early feedback.

The HCL development team is looking for early access feedback!

So if you are not joining, you can't complain later ;-)

-- Daniel

3Samuel Flint  14.10.2020 14:59:35  Easy kyr file creation with Early Access V12 in production

Domino's HTTP stack has been behind the times for quite a while, so far as HTTPS goes.

To get proper SSL support, we ended up running Domino in HTTP-only mode, behind an Nginx reverse proxy.

The alternate HTTP port is not exposed to the outside world.

We use WACS to automatically renew letsencrypt certificates.

This setup performs beautifully.

As you can see from ssllabs, we have an A+ rating on our production servers.

4Daniel Nashed  14.10.2020 22:55:44  Easy kyr file creation with Early Access V12 in production


Thanks for your comments!

What do you miss for Domino HTTPS in the current releases?

In Domino 9.0.1 shortly before Poodle came up, IBM started to introduce new features step by step.

They wanted to do it on one step, but because of Poodle they needed to get something out sooner.

So they started with TLS 1.0 with some ciphers and step by step in FPs and IFs added TLS functionality and ciphers.

All the ciphers and configuration was notes.ini only and they changed that with the next major version Domino 10

Since than we had a pretty good set of ciphers. But yes it's TLS 1.2 only

Hopefully we will get TLS 1.3 for Domino V12.

There is finally SNI support since Domino 11.0.1 -- which made me very happy.

But with the ciphers we have and the current changes with Domino V12 we are on a good level.

There is ECC / ECDSA support in the current code drops for V12.

What else are you missing for HTTPS security?

-- Daniel



    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]