This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal


~Tate Kikigengon
Dec 3, 2014, 11:42 PM
39 Posts
topic has been resolvedResolved

[Solved] Kyrtool error SEC_mpfct_ImportTrustRootToKYR returned error 0x1724

  • Category: Administration
  • Platform: Windows
  • Release: 9.0.1
  • Role:
  • Tags: kyrtool error 0x1724
  • Replies: 0

I am going slightly mad. I have read all articles I found about the subject and all threads here. I cannot find an answer.

 

On Paper everything looks great:

openssl genrsa -out server.key 4096

openssl req -new -sha256 -key server.key -out server.csr

The bought a *.company.se certificate and got a server.crt back.

I also found the intermediary and root. Everything is found on RapidSSL homepage.

 

C:\Program Files\IBM\Lotus\Notes>kyrtool ="C:\Program Files\IBM\Lotus\Notes\notes.ini" verify Z:\Documents\SSL3Dec\AllINOne_win.txt


        KyrTool v1.0

Successfully read 4096 bit RSA private key
INFO: Successfully read 4 certificates
INFO: Private key matches leaf certificate
INFO: IssuerName of cert 0 matches the SubjectName of cert 1
INFO: IssuerName of cert 1 matches the SubjectName of cert 2
INFO: IssuerName of cert 2 matches the SubjectName of cert 3
INFO: Final certificate in chain is self-signed

 

C:\Program Files\IBM\Lotus\Notes>kyrtool ="C:\Program Files\IBM\Lotus\Notes\notes.ini" show certs -i Z:\Documents\SSL3Dec\AllINOne_win.txt

Using PEM file path 'Z:\Documents\SSL3Dec\AllINOne_win.txt'


Certificate #0

Subject:        CN=*.XXXXXXXXXX.se/OU=Domain Control Validated - RapidSSL(R)/OU=See www.rapidssl.com/resources/cps (c)14/OU=GT24433257
Issuer:         CN=RapidSSL SHA256 CA - G3/O=GeoTrust Inc./C=US
Not Before:     2014-12-02 06:48:52
Not After:      2016-12-03 18:36:25
Key length:     4096 bits
Signature Alg:  sha256WithRSAEncryption

Certificate #1

Subject:        CN=RapidSSL SHA256 CA - G3/O=GeoTrust Inc./C=US
Issuer:         CN=GeoTrust Global CA/O=GeoTrust Inc./C=US
Not Before:     2014-08-29 23:39:32
Not After:      2022-05-20 23:39:32
Key length:     2048 bits
Signature Alg:  sha256WithRSAEncryption

Certificate #2

Subject:        CN=GeoTrust Global CA/O=GeoTrust Inc./C=US
Issuer:         OU=Equifax Secure Certificate Authority/O=Equifax/C=US
Not Before:     2002-05-21 06:00:00
Not After:      2018-08-21 06:00:00
Key length:     2048 bits
Signature Alg:  sha1WithRSAEncryption

Certificate #3

Subject:        OU=Equifax Secure Certificate Authority/O=Equifax/C=US
Issuer:         OU=Equifax Secure Certificate Authority/O=Equifax/C=US
Not Before:     1998-08-22 18:41:51
Not After:      2018-08-22 18:41:51
Key length:     1024 bits
Signature Alg:  sha1WithRSAEncryption


C:\Program Files\IBM\Lotus\Notes>

 

But: I cannot import the root. Or the intermediate. Only the keyfile was importable:

C:\Program Files\IBM\Lotus\Notes>kyrtool ="C:\Program Files\IBM\Lotus\Notes\notes.ini" create  -k  c:\2014.kyr -p XXXXXX

 

C:\Program Files\IBM\Lotus\Notes>kyrtool ="C:\Program Files\IBM\Lotus\Notes\notes.ini" import keys -k "c:\2014.kyr" -i Z:\Documents\SSL3Dec\server.key

Using keyring path 'c:\2014.kyr'
Successfully read 4096 bit RSA private key
SECIssUpdateKeyringPrivateKey succeeded

 

Everytime I try to import the root I get the same error:


C:\Program Files\IBM\Lotus\Notes>kyrtool.exe import roots  -k C:\2014.kyr -i Z:\Documents\SSL3Dec\root.pem

Using keyring path 'C:\2014.kyr'
SEC_mpfct_ImportTrustRootToKYR returned error 0x1724
Upgrade current Notes/Domino installation for trusted root functionality


The feature you have chosen is not available in this version of Notes.

 

Notes is 9.0.2FP2 with the latest IF

 

If I put everything correct in a file I get the dredded AVA error:

C:\Program Files\IBM\Lotus\Notes>kyrtool.exe import all  -k C:\2014.kyr -iZ:\Documents\SSL3Dec\AllINOne_win.txt

Using keyring path 'C:\2014.kyr'
Successfully read 4096 bit RSA private key
SECIssUpdateKeyringPrivateKey returned error 0x071e


No AVA separator was found

 

How to continue?

 

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Update 20141204

In Swedish: Det var skit bakom spakarna.     (=shit behind the steering wheel)

Now I am less tired and realize that the Notes client was not properly updated to version 9.0.1 FP2 SH202 (it was in some mixed crap mode). I did a complete reinstall of notes and I the import worked.

kyrtool.exe import roots  -k C:\2014.kyr -i Z:\SSL3Dec\root.pem

Using keyring path 'C:\2014.kyr'
SEC_mpfct_ImportTrustRootToKYR succeeded

kyrtool.exe import roots  -k C:\2014.kyr -i Z:\SSL3Dec\intermed1.pem

Using keyring path 'C:\2014.kyr'
SEC_mpfct_ImportTrustRootToKYR succeeded


C:\Program Files\IBM\Notes>kyrtool.exe import roots  -k C:\2014.kyr -i Z:\SSL3Dec\intermed2.pem

Using keyring path 'C:\2014.kyr'
SEC_mpfct_ImportTrustRootToKYR succeeded


C:\Program Files\IBM\Notes>kyrtool.exe import certs  -k C:\2014.kyr -i Z:\SSL3Dec\client_win.pem

Using keyring path 'C:\2014.kyr'

SECIssUpdateKeyringLeafCert succeeded


This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal