Skip to main content link. Accesskey S
  • HCL Logo
  • HCL Notes and Domino wiki
  • THIS WIKI IS READ-ONLY. Individual names altered for privacy purposes.
  • HCL Forums and Blogs
  • Home
  • Product Documentation
  • Community Articles
  • Learning Center
  • API Documentation
Search
Community Articles > Lotus Domino > Domino security > Generating a keyring file with a self-signed SHA-2 cert using OpenSSL and kyrtool
  • Share Show Menu▼
  • Subscribe Show Menu▼

Recent articles by this author

TLS Cipher Configuration

This article describes how to configure SSLTLS cipher specifications in IBM Domino 9.0.1 FP5

HTTP Strict Transport Security (HSTS)

How to configure Domino for HTTP Strict Transport Security

Unable to connect to patched Domino servers using SSLv2 backwards compatibility mode

All support for SSLv2 was removed by the IBMDominoTLS1.0Interim Fixes that added support for TLS 1.0 and TLSFALLBACKSCSV to IBM Domino. This includes the SSLv2 handshake messages that were used to enable backwards compatibility with servers that only supported SSLv2. SSLTLS clients that ...

Installing and Running the Domino keyring tool

This command line tool can be used to view keyring files, create keyring files, and import certificates of all kinds into keyring files. It uses the Notes C API and can be run against any 8.5.x or 9.x IBM NotesDomino installation, but can only be used with SHA2 certiifcates in 9.x, and can only ...

Generating a keyring file with a self-signed SHA-2 cert using OpenSSL and kyrtool

Generating a keyring file with a self-signed SHA-2 cert using OpenSSL and kyrtool
Community articleGenerating a keyring file with a self-signed SHA-2 cert using OpenSSL and kyrtool
Added by ~Joseph Nimweburings | Edited by ~Joseph Nimweburings on November 24, 2014 | Version 9
  • Actions Show Menu▼
expanded Abstract
collapsed Abstract
Generating a keyring file with a self-signed SHA-2 cert using OpenSSL and kyrtool
Tags: SSL, TLS, SHA-2
The following steps are the easiest to understand and to expand upon when moving to an OpenSSL-based CA or a third party CA. Alternatively,"openssl x509" can be used to create a self-signed certificate in one operation.

Generating a self-signed certificate using OpenSSL and kyrtool

1. Generate an RSA keypair

[~]$ openssl genrsa -out server.key 4096
Generating RSA private key, 4096 bit long modulus
........................................................................................++
...................................................................++
e is 65537 (0x10001)

The resulting keypair should not be password protected. This isn't a good security practice, so only perform these steps for production systems on a restricted access system believed to be secure. The resulting keypair should look like the following:

[~]$ cat server.key
-----BEGIN RSA PRIVATE KEY-----
MIIJKAIBAAKCAgEAr9uZYZ1BrraxW1AdM1ecexiD2uaPxNKjS2p2p9pygUc/vU2d
rrqjj3tAybdkNEFcwQLY/eIZcEowHmhH0b9Ut5EOsMMxkB4vUHg6gWmse64wr2qx
5EmUfjZ/LDMDqnmFxTDvr2iiajZI/L/8thgwBEK2AEGhCppyvyo/mzvMua9j7I8G
[Many lines removed]
tuEe3JGUnHaWetQYOU6PmTKIgPpd3disflCJe8K1dzN8bEkQF2eZk/oODVHSHRyC
7Rw9zpLxTJmbd3iWW3+ZVHhpudYZrDE8NbaaiGMbfyfQBnSH1XbDHSveTxLOY3fo
+d9lePMThdnmme6b1v8X4sCuDKrFjoV5Veo4Qq8I+099hu3tTRq2zGpNPsg=
-----END RSA PRIVATE KEY-----

2. Generate a Certificate Signing Request (CSR)

This step prompts you for information that should be in your final certificate, bundles that up along with the public half of the RSA keypair that was just generated, and signs the whole thing with the private half of the keypair. In this example every option is left blank except for the DNS name of the SSL server. Note the "-sha256", as the default algorithm for current versions of OpenSSL is SHA-1.

[~]$ openssl req -new -sha256 -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:.
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:.
Organization Name (eg, company) [Default Company Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (eg, your name or your server's hostname) []:www.example.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

[~]$ cat server.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIEbDCCAlQCAQAwJzElMCMGA1UEAwwcdWx0cmF2aW9sZXQuc3dnLnVzbWEuaWJt
LmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK/bmWGdQa62sVtQ
HTNXnHsYg9rmj8TSo0tqdqfacoFHP71Nna66o497QMm3ZDRBXMEC2P3iGXBKMB5o
[Many lines removed]
nbXBaWgJqMk71f2vU1LnNQQresCBJpzNWgjyLaTszUR6eL8JD9WxddMK/82h9QVx
uFO005u3Fa2uC+8axiMKO3sSuVsgXHQpCuSnw2jDCQoeW/C/GSswsdWVyEzHMMjD
KQTH5iQLVPWArBoE1SV/RzG8tvLqH6JxHmSG7cnrgH0=
-----END CERTIFICATE REQUEST-----

3. Create a Self-Signed Certificate

Note the "-sha256", as the default signing algorithm for current versions of OpenSSL is
sha1WithRSAEncryption, not sha256WithRSAEncryption.

[~]$ openssl x509 -req -days 3650 -sha256 -in server.csr -signkey server.key -out server.pem
Signature ok
subject=/CN=www.example.com
Getting Private key

[dskern@paranoia ssl]$ cat server.pem
-----BEGIN CERTIFICATE-----
MIIEyjCCArICCQCIqzNZtkev6TANBgkqhkiG9w0BAQUFADAnMSUwIwYDVQQDDBx1
bHRyYXZpb2xldC5zd2cudXNtYS5pYm0uY29tMB4XDTE0MTAwODE3NDUzMFoXDTI0
MTAwNTE3NDUzMFowJzElMCMGA1UEAwwcdWx0cmF2aW9sZXQuc3dnLnVzbWEuaWJt
[Many lines removed]
lysEvJF7MuiDfgOyUn2ZfmTpDm62dXalzXnBrGcAiPo5swds+UnN68BCejptUnti
TQ4rb9iXP4Zdz6jNuUOtuhlovyJWtUF27VQSdZLoqAoCM3pNybBVAh4FpapYw4XR
c6xhntH8Y6hyyxp1er8v26M9Kg6dgNZTXo3rKtMW+I4bu+ziMYuY9/oLR8nbEj2l
93Llwb/jwgxJBVZRwhU4M1JxETQBzc19pJ0kcE94
-----END CERTIFICATE-----

4. Create a new keyring file

At this point in the example, the Administrator switched from the linux box where OpenSSL was run to a Windows box to use kyrtool.exe.

[C:\] kyrtool =c:\lotus\notes\notes.ini create -k c:\lotus\notes\data\keyring.kyr -p password

Keyfile c:\lotus\notes\data\keyring.kyr created successfully

2 [C:\Lotus\Notes\Data] dir keyring*
Volume in drive C is C_Drive
Volume Serial Number is 306D-00D5

Directory of C:\Lotus\Notes\Data

10/08/2014 02:15 PM 29,161 keyring.kyr
10/08/2014 02:15 PM 129 keyring.sth
2 File(s) 29,290 bytes
0 Dir(s) 400,743,673,856 bytes free

5. Import the RSA keypair and self-signed certificate into the new keyring file

5a. Concatenate server.key and server.pem into a single file:

The simplest approach to concatenate two files into a third file will vary based on your operating system, but you should end up with a single file that appears similar to the following:

1 [C:\Lotus\Notes\Data\ssl] cat server.txt
-----BEGIN RSA PRIVATE KEY-----
MIIJKAIBAAKCAgEAr9uZYZ1BrraxW1AdM1ecexiD2uaPxNKjS2p2p9pygUc/vU2d
rrqjj3tAybdkNEFcwQLY/eIZcEowHmhH0b9Ut5EOsMMxkB4vUHg6gWmse64wr2qx
[Many lines removed]
7Rw9zpLxTJmbd3iWW3+ZVHhpudYZrDE8NbaaiGMbfyfQBnSH1XbDHSveTxLOY3fo
+d9lePMThdnmme6b1v8X4sCuDKrFjoV5Veo4Qq8I+099hu3tTRq2zGpNPsg=
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIEyjCCArICCQDa3d9OQUIsWzANBgkqhkiG9w0BAQsFADAnMSUwIwYDVQQDDBx1
bHRyYXZpb2xldC5zd2cudXNtYS5pYm0uY29tMB4XDTE0MTAwODE4MzQ0NloXDTI0
[Many lines removed]
qddsfWubEwoMYKevnV8u9EFp7f0RONGqp93iU9O5jYPdrcB+RryT7bwErDTQKjua
ZAcuoKnUrnXiGIiq/dkXg2Umaf9Quewz0ow7BrCW
-----END CERTIFICATE-----

5b. Verify the input file:

[C:\] kyrtool =c:\lotus\notes\notes.ini verify c:\lotus\notes\data\ssl\server.txt

KyrTool v1.0

Successfully read 4096 bit RSA private key
INFO: Successfully read 1 certificates
INFO: Private key matches leaf certificate
INFO: Final certificate in chain is self-signed

5c. Import the keypair and self-signed certificate:

[C:\] kyrtool =c:\lotus\notes\notes.ini import all -k c:\lotus\notes\data\keyring.kyr -i c:\lotus\notes\data\ssl\server.txt

Using keyring path 'c:\lotus\notes\data\keyring.kyr'
Successfully read 4096 bit RSA private key
SECIssUpdateKeyringPrivateKey succeeded
SECIssUpdateKeyringLeafCert succeeded

6. Examine the resulting keyring file

[C:\] kyrtool =c:\lotus\notes\notes.ini show keys -k c:\lotus\notes\data\keyring.kyr

Using keyring path 'c:\lotus\notes\data\keyring.kyr'

Key length: 4096 bits

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr9uZYZ1BrraxW1AdM1ec
exiD2uaPxNKjS2p2p9pygUc/vU2drrqjj3tAybdkNEFcwQLY/eIZcEowHmhH0b9U
[Many lines removed]
u4cjcmMILbXNul+sXFGx1TcIlZ2/vmwb1XO0GVKFLS5cjYhcRrdbyV5JfVVawQpG
xmWG4e18WWnc0bMt1ovVXQMCAwEAAQ==
-----END PUBLIC KEY-----

Key length: 4096 bits

-----BEGIN RSA PRIVATE KEY-----
MIIJKAIBAAKCAgEAr9uZYZ1BrraxW1AdM1ecexiD2uaPxNKjS2p2p9pygUc/vU2d
rrqjj3tAybdkNEFcwQLY/eIZcEowHmhH0b9Ut5EOsMMxkB4vUHg6gWmse64wr2qx
[Many lines removed]
7Rw9zpLxTJmbd3iWW3+ZVHhpudYZrDE8NbaaiGMbfyfQBnSH1XbDHSveTxLOY3fo
+d9lePMThdnmme6b1v8X4sCuDKrFjoV5Veo4Qq8I+099hu3tTRq2zGpNPsg=
-----END RSA PRIVATE KEY-----

[C:\] kyrtool =c:\lotus\notes\notes.ini show certs -k c:\lotus\notes\data\keyring.kyr

Using keyring path 'c:\lotus\notes\data\keyring.kyr'

Server certificate #0

Subject: CN=www.example.com
Issuer: CN=www.example.com
Not Before: 10/08/2014 02:34:46 PM
Not After: 10/05/2024 02:34:46 PM
Key length: 4096 bits
Signature Alg: sha256WithRSAEncryption

-----BEGIN CERTIFICATE-----
MIIEyjCCArICCQDa3d9OQUIsWzANBgkqhkiG9w0BAQsFADAnMSUwIwYDVQQDDBx1
bHRyYXZpb2xldC5zd2cudXNtYS5pYm0uY29tMB4XDTE0MTAwODE4MzQ0NloXDTI0
[Many lines removed]
qddsfWubEwoMYKevnV8u9EFp7f0RONGqp93iU9O5jYPdrcB+RryT7bwErDTQKjua
ZAcuoKnUrnXiGIiq/dkXg2Umaf9Quewz0ow7BrCW
-----END CERTIFICATE-----

7. Copy over your new keyring file and start the Domino server

Back up your old .kyr and .sth files, shut down the server, copy over your new keyring and stash files, restart the server, and check out the results!

  • Actions Show Menu▼


expanded Attachments (0)
collapsed Attachments (0)
Edit the article to add or modify attachments.
expanded Versions (1)
collapsed Versions (1)
Version Comparison     
VersionDateChanged by              Summary of changes
This version (9)Nov 24, 2014, 11:12:58 PM~Joseph Nimweburings  
expanded Comments (0)
collapsed Comments (0)
Copy and paste this wiki markup to link to this article from another article in this wiki.
Go ElsewhereStay ConnectedAbout
  • HCL Software
  • HCL Digital Solutions community
  • HCL Software support
  • BlogsDigital Solutions blog
  • Community LinkHCL Software forums and blogs
  • About HCL Software
  • Privacy
  • Accessibility