Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...


Daniel Nashed


New Version of KyrTool released

Daniel Nashed  3 April 2015 06:38:12
There is a newer version of the key ring tool that has been released on fix-central.

Here is the list of fixes for the newer version.
You should also update your client and server to the latest available IF because there are also fixes in the back-end for some issues parsing certificates.

By the way ... I really like the command line kyrtool. A couple of days ago a customer asked me for some maintenance of their existing key ring files.
Their CA expired and we had to remove the root CA from over 150 key-ring files.
Using a shell script in combination with the kyrtool allowed me to export the private key and certificates, use "sed" to modify the file, create a new key-ring file, re-import and verify the key-ring file.
We even dumped information about the keys, certs etc and validation of the key-ring files into a CSV file to have an overview :-)

-- Daniel
DKEN9U5UEX Fix crash if pem file provided as input file has embedded nulls
KLYH9UBNGW Add Sha 256 Pinning to the kyrtool - displaying the digest on show commands
MKIN9QHT5W Fix kyrtool crashing when attempting the create command and giving an existing directory for the keyfile name
DKEN9RVQGD Fix kyrtool sometimes erroring on import all command

1Heinrich Nellen  14.04.2015 13:20:26  New Version of KyrTool crashes using the show command

Using the "show" command leeds to a crash of the new kyrtool (linux 64 or windows 32). Both systems were not patched to the latest IF.

Subject: ***********

Issuer: ***********

Not Before: ***********

Not After: ***********

Key length: 4096 bits

[052C:0002-0218] Thread=[052C:0002-0218]

[052C:0002-0218] Stack base=0x0019DFCC, Stack size = 9468 bytes

[052C:0002-0218] PANIC: LookupHandle: handle out of range

I didn't test it with a fully patched system. The old version worked fine.

2Heinrich Nellen  14.04.2015 13:33:39  New Version of KyrTool crashes using the "show certs" command


"show keys" works, "show certs" leads to panic

3Daniel Nashed  15.04.2015 11:06:45  New Version of KyrTool released

New Key tool v1.1 works for me with "show certs".

I see no problem here. Tested with Notes Client FP3 with current IF installed

Not sure which exact version you are on. And I have no unpatched system for testing.

Can you test with a patched version? Are you getting a NSD? Can you send it by mail?

4Eric  30.11.2019 19:50:19  New Version of KyrTool released

Hi, do you known a new location to download this tool?

IBM website is not available yet.

Thank you.

5Daniel Nashed  02.12.2019 22:39:58  New Version of KyrTool released

@Eric, the kyrtool is part of the Domino 10 and higher servers

I didn't find a separate download on FlexNet for the kyrtool.

-- Daniel

6Vaibhav  05.05.2020 9:49:24  New Version of KyrTool released

Hi Daniel,

Any idea how can generate CSR cert request for SHA2 on Domino 9.0.1? as I believe this tool is not a part in this release and all the download links for this tool are no more working.

7Daniel Nashed  05.05.2020 17:04:13  New Version of KyrTool released

Hi Vaibhav,

the kyrtool is now part of the server install since Domino 10.

And you create keys with openssl for example.

I posted some info on my blog and we have a script in our Docker project if you are a Linux guy.

There are many ways to create a private/public key and create a CSR.

It also depends on the CA you are using.

The only cert database isn't working any more but it's on the list for the next version to have something easier ..

My option currently is openssl.. if you need more details how it works.

-- Daniel



    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]