This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal


~Yentl Zekresachek
Jul 22, 2015, 4:40 AM
32 Posts
topic has been resolvedResolved

Move a Keyring & Certificates from IHS to KYRTool?

  • Category: Security
  • Platform: Windows
  • Release: 9.0.1
  • Role: Administrator
  • Tags: IHS,KYRTool,TLS,SSL,SSL SHA1 SHA2
  • Replies: 5

With IBM having announced that support for IHS on Domino will be withdrawn "sometime soon" we have moved to using the KYRTool for Keyring and Certificate Management (why IBM can't make a tool like IKeyMan for Domino is beyond me, but I digress). 

To save some time I was hoping to use the already created IKeyMan Keyring and Certificates but can't find any information on this. 

I have found information on re-using an older 'Server Certificate Admin" type  Keyring but this is not relevant (it's in the PDF at this link Ask the Experts SSL)

I think this will not be possible but any ideas gratefully received. 

~Dexter Deswechekynds
Jul 22, 2015, 1:28 PM
191 Posts
Some info
All you really need to do is export the certificates from your existing key store, create a new keyfile with kyrtool, and then use the kyrtool import function to import the exported certs. The export step will be through ikeyman's GUI interface. The other steps are documented here:

http://www-10.lotus.com/ldd/dominowiki.nsf/dx/kyrtool
~Yentl Zekresachek
Jul 23, 2015, 1:44 AM
32 Posts
Not working for me

So, in Ikeyman I "extracted" the certificate into an .ARM file as Base64 ASCII. I then created a new Keyring, imported my root certificates and then imported the extracted certificate.

All good so far.

Now I need to import the Server Key.  I tried exporting the keys to various formats using Ikeyman Export/Import but it also creates a stash file with a password and I can't select .KEY as a format. I can't import any of these. Error is:

No private key found in the input file
ReadPEMPrivateKey returned error 0x1731
The cryptographic key was not found

Ideas?

 

~Dexter Deswechekynds
Jul 23, 2015, 1:51 PM
191 Posts
Is that error from ikeyman?
My first thought is to suggest you just create a new server key. Since there is no historical data that is bound to the old key (in contrast to a Notes keypair, for example), you can just create a new one at any time. That probably gets you where you want to be faster. If you don't want to do that for some reason, can you post the exact steps you are performing that lead to the error?
~Yentl Zekresachek
Jul 30, 2015, 1:27 AM
32 Posts
Workaround

The resolution was to export the key as PKS12 .p12 and send it to the Security team who worked their magic on it and exported a .PEM file that I could then import.

~Tanita Desweverobu
Aug 4, 2015, 6:42 PM
94 Posts
Converting between formats using OpenSSL
PGZvbnQgc2l6ZT0zIGZhY2U9IkFyaWFsIj5IZXJlJ3Mgb25lIG9mIHRoZSByZWZlcmVuY2Ugc2xp ZGVzIGZyb20gdGhlDQpzZXNzaW9uIChCUCAxMDIpIHRoYXQgRGFuaWVsIGFuZCBJIHByZXNlbnRl ZCBhdCBDb25uZWN0RUQgMjAxNTo8L2ZvbnQ+PGZvbnQgc2l6ZT0zPg0KPC9mb250Pg0KPGJyPjxm b250IHNpemU9MyBmYWNlPSJBcmlhbCI+PGI+PGJyPg0KUmVmZXJlbmNlIC0gQ29udmVydGluZyBm aWxlIGZvcm1hdHM8L2I+PC9mb250Pjxmb250IHNpemU9Mz4gPC9mb250Pg0KPHVsPg0KPGxpPjxm b250IHNpemU9MyBmYWNlPSJBcmlhbCI+S3lydG9vbCByZXF1aXJlcyDigJxQRU3igJ0gZm9ybWF0 ICh0ZXh0IGJhc2VkDQotIEJBU0U2NCBlbmNvZGVkIERFUiBmb3JtYXQpPC9mb250Pjxmb250IHNp emU9Mz4gPC9mb250Pg0KPHVsPg0KPGxpPjxmb250IHNpemU9MyBmYWNlPSJBcmlhbCI+SW4gbWFu eSBjYXNlcyB5b3VyIENBIG1pZ2h0IHVzZSBkaWZmZXJlbnQNCmZvcm1hdHMgKGUuZy4gTWljcm9z b2Z0IENBKTwvZm9udD48L3VsPg0KPGxpPjxmb250IHNpemU9MyBmYWNlPSJBcmlhbCI+T3BlblNT TCBpcyB5b3VyIGZyaWVuZCB3aGVuIGNvbnZlcnRpbmcgZGlmZmVyZW50DQpmb3JtYXRzPC9mb250 Pjxmb250IHNpemU9Mz4gPC9mb250Pg0KPHVsPg0KPGxpPjxmb250IHNpemU9MyBmYWNlPSJBcmlh bCI+QnV0IHN5bnRheCBpcyBub3QgYWx3YXlzIGVhc3kgdG8gZmlndXJlIG91dDwvZm9udD48Zm9u dCBzaXplPTM+DQo8L2ZvbnQ+DQo8bGk+PGZvbnQgc2l6ZT0zIGZhY2U9IkFyaWFsIj5Db252ZXJ0 IGEgUEtDUyMxMiBmaWxlICgucGZ4IC5wMTIpIGNvbnRhaW5pbmcNCmEgcHJpdmF0ZSBrZXkgYW5k IGNlcnRpZmljYXRlcyB0byBQRU08L2ZvbnQ+PGZvbnQgc2l6ZT0zPiA8L2ZvbnQ+DQo8dWw+DQo8 bGk+PGZvbnQgc2l6ZT0zIGZhY2U9IkFyaWFsIj5vcGVuc3NsIHBrY3MxMiAtaW4gY2VydC5wZngg LW91dCBjZXJ0LnBlbQ0KLW5vZGVzPC9mb250PjwvdWw+DQo8bGk+PGZvbnQgc2l6ZT0zIGZhY2U9 IkFyaWFsIj5Db252ZXJ0IEJpbmFyeSBERVIgZm9ybWF0dGVkIGNlcnRpZmljYXRlDQp0byB0ZXh0 IGJhc2VkIChCQVNFNjQpIFBFTSBmb3JtYXQ8L2ZvbnQ+PGZvbnQgc2l6ZT0zPiA8L2ZvbnQ+DQo8 dWw+DQo8bGk+PGZvbnQgc2l6ZT0zIGZhY2U9IkFyaWFsIj5vcGVuc3NsIHg1MDkgLWluZm9ybSBk ZXIgLWluIHNlcnZlci5jZXIgLW91dGZvcm0NCnBlbSAtb3V0IHNlcnZlci5wZW08L2ZvbnQ+PC91 bD4NCjxsaT48Zm9udCBzaXplPTMgZmFjZT0iQXJpYWwiPkNvbnZlcnQgQmluYXJ5IERFUiBmb3Jt YXR0ZWQgY2VydGlmaWNhdGUNCmNoYWluIHRvIHRleHQgYmFzZWQgKEJBU0U2NCkgUEVNIGZvcm1h dDwvZm9udD48Zm9udCBzaXplPTM+IDwvZm9udD4NCjx1bD4NCjxsaT48Zm9udCBzaXplPTMgZmFj ZT0iQXJpYWwiPm9wZW5zc2wgcGtjczcgLXByaW50X2NlcnRzIC1pbmZvcm0gZGVyIC1pbg0KY2Vy dGlmaWNhdGVfY2hhaW4ucDdiIC1vdXRmb3JtIHBlbSAtb3V0IGNoYWluLnBlbTwvZm9udD48L3Vs PjwvdWw+PC91bD4NCg==

This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal