Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...


Daniel Nashed


Last Time updating my SSL Certificate using a KYR file

Daniel Nashed  27 April 2021 05:31:27

I am using Domino V12 CertMgr for a while with my own custom export logic for the kyr file.
The kyr file export in Domino V12 CertMgr was only available until the new crypto to protect the private key was added.
You can't export keys today. But you can import keys.

So here is a quick step by step instruction how to user CertMgr today with kyr files.
Looks complicated. But with native Domino V12 it will be very very easy soon.
But this is how you could leverage it today on Domino V12 servers.

1. Create a private key and create a self singed

The certmgr -importpem functionality expects at least a key and a leaf cert.
So we create a dummy self signed for now.

openssl req -newkey rsa:4096 -nodes -keyout key.pem -x509 -days 365 -out cert.pem
cat key.pem > all.pem
cat cert.pem >> all.pem

2. Import kyr into certstore.nsf

load certmgr -importpem all.pem

3. Use CertMgr to get a certificate for the host you specify and the key you imported.
(note: the CN is currently not added to the document as a host name  -- fixed in GA).

Make sure your CertMgr server is listed in "Servers with access" so that the new certificate is automatically used.

4. Pickup the certificate chain

If SNI is enabled, you could even pickup the cert, if the server doesn't have DNS entry for this certificate.
The following command line can be used to get the full cert chain over HTTPS.

openssl s_client -servername -showcerts -connect /dev/null | sed -ne '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' > chain.txt

You can also copy the certificate chain via copy & paste. But this is more fun...
The cool part is that as long the key stays the same, you can renew just use step 4 to pick up the changed cert.

Now copy the key + the cert chain together and import them into a kyr file.

load kyrtool create -k keyfile.kyr -p my-super-secret-password
load kyrtool import all -k keyfile.kyr -i privatekey_andchain.pem

In my case I am using the DNS-01 option in Domino V12 CertMgr to request a wild-card certificate from Let's Encrypt.
The next time I need to renew my cert I will run CertMgr with Domino V12 in production and no *.kyr files are needed any more.

Domino V12 can read private keys and certs (new name: TLS Credentials) directly from certstore.nsf.

So the next time I will use Domino V12 + CertMgr + ECDSA keys for sure :-)

-- Daniel

Image:Last Time updating my SSL Certificate using a KYR file
No Comments Found



    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]