Create IBM Domino keyring file with SHA-256 signed certificates

The following article my help you with the creation of SHA-256 keyring files for IBM Domino.

Step 1: Verify prerequisites

  • IBM Domino 9.0.1 FP2 IF1 or higher (for SHA-256 support)
  • IBM Domino kyrtool installed (
  • Access to a Mac OS X or Linux workstation (for OpenSSL command line tool)

Step 2: On workstation with Mac OS X or Linux

  • Generate RSA 4096 private and public keys and save them in „server.keys“.
cd /tmp
openssl genrsa -out server.keys 4096
  • Create a certificate signing request (CSR) for submission to the certificate authority (CA) and save this CSR in „server.csr“.
cd /tmp
openssl req -new -sha256 -key server.keys -out server.csr
  • Submit the generated CSR file „server.csr“ to the CA.
  • Download the CA signed certificate with the complete certificate chain as file „server.pem“.
  • Concatenate the file „server.keys“ with the file „server.pem“ and save the result as „server.txt“
cd /tmp
cat server.keys server.pem >server.txt
  • Copy the file „server.txt“ to the windows workstation (for Step 3)

Step 3: On workstation with Windows (client or server)

  • Create a new Domino keyring file „keyfile.kyr“ and the password file „keyfile.sth“.
cd /temp
kyrtool =c:\Path-To-Notes-Domino-Ini-File\notes.ini create -k keyfile.kyr -p keyring-password
  • Import the concatenated file „server.txt“ from step 2 into the keyring file
cd /temp
kyrtool =c:\Path-To-Notes-Domino-Ini-File\notes.ini import all -k keyfile.kyr -i server.txt


Step 4: Verify the keyring file

  • Verify the private/public key
cd /temp
kyrtool =c:\Path-To-Notes-Domino-Ini-File\notes.ini show keys -k keyfile.kyr
  • Verify the certificates
cd /temp
kyrtool =c:\Path-To-Notes-Domino-Ini-File\notes.ini show certs -k keyfile.kyr


Step 5: Install and activate the keyring file

  • Copy the keyring files „keyfile.kyr“ and „keyfile.sth“ to the Domino data directory
  • Configure the internet sites using the keyring files
  • Restart the Domino server


If you need to convert a P12 (PKCS) file, make sure you use the „-nodes“ parameter. If omitted, the private key in the resulting PEM file will be DES encoded, which KyrTool is not able to process.


openssl pkcs12 -in file.p12 -out file.pem -nodes