Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...


Daniel Nashed


Short Description Creating a Domino Keyring File with the new Keyring Tool and a Windows CA using Binary Formats

Daniel Nashed  2 December 2014 09:52:36
Now that more and more customers are using the new keyring tool we run into interesting constellations.
Microsoft uses binary formats instead of the ascii based PEM format that the keyring tool requires.

Openssl does not only help you to create the key and the certficates. You can also use it to convert the certificate formats.

I have written a short step by step short documentation for my customer including some troubleshooting steps and tricks.

To keep it short I have left out the results from the commands. But you find this information in the official IBM documentation (

-- Daniel

Short Description Creating a Domino Keyring File with the new Keyring Tool and a Windows CA using Binary Formats

First of all you have to find a machine with openssl installed. The most easy way would be to log into any type of Linux machine with a current openssl version installed.
But there are also Windows implementations.

Create Private/Public Key

In the first step you create a private public key using the standard openssl command-line.

openssl genrsa -out server.key 4096

Create Certificate Request

In the next step you create a certificate request and have it processed by your CA.

The command-line will prompt you for country, organisation name etc and the name of your server.

That would be the DNS name of the server for example "" or in case you want to generate a wildcard certficate "*"

openssl req -new -sha256 -key server.key -out server.csr

Convert Binary Certificate Files to PEM Format

The Domino kyrtool requires the text based PEM format but the Microsoft CA does generate binary files.

The following commands can be used to convert the formats.

First of all you convert the server certificate to from binary DER format to text based PEM format:

openssl x509 -inform der -in server.cer -outform pem -out server.pem

In the next step you convert the certificate chain from p7b binary format to PEM format as well

openssl pkcs7 -print_certs -inform der -in certificate_chain.p7b -outform pem -out chain.pem

Combine Key, Cert and Chain to a single file

The most easy way to import all certificates you combine all parts into a single PEM formatted file.

The order in the file must match leave to root order. In most cases you just copy all party into a single file.

copy server.key+server.pem+chain.pem all.pem

Now you have all parts in a single file in the right order.

Note: In some cases the server certificate is already in the chain file. In that case you have to ensure that the certificate is only listed once

Create Keyring File

Download and install the new kyrtool -- just copy it into the Notes program directory.

Afterward just create a new keying file and set a password.

Note: Password only has to be entered the first time you access the keyring afterwards it is automatically read from the sth file.

c:\Notes\kyrtool.exe create -k c:\cert\mykeyring.kyr -p SecurePassword

Import Key, Cert and Chain

In the next step you just import all parts we added to the single file into your keyring.

c:\Notes\kyrtool.exe import all -k c:\cert\mykeyring.kyr -i c:\cert\all.pem

Troubleshooting / Verification

There are two interesting options that might be helpful.

First of all before you import the certificates you can verify the file is complete and all certificates in the chain are present and matching.

C:\Notes\kyrtool.exe verify c:\cert\all.pem

The result be as follows:

- A private key should be present

- The should be no missing certs in the chain or mismatches

- The last certificate in the chain is self-singed (root certificate)

Another way to show the certs and dump them might be useful as well.

This command line shows you all the certs with detailed information about each part.

C:\Notes\kyrtool.exe show certs -i c:\cert\all.pem

Verify existing keyring files

If you want to verify an exiting keyfile you can combine "show certs" output into a file with a "verify" command on that output file.

The only error you should have with that verify is that the private key is missing.
That helps to verify that a keyring file has a complete chain.



    • [IBM Lotus Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]