The following article my help you with the creation of SHA-256 keyring files for IBM Domino.
Step 1: Verify prerequisites
- IBM Domino 9.0.1 FP2 IF1 or higher (for SHA-256 support)
- IBM Domino kyrtool installed (http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ELotus&product=ibm/Lotus/Lotus+Domino&release=126.96.36.199&platform=All&function=fixId&fixids=KYRTool_9x_ClientServer&includeSupersedes=0&source=fc)
- Access to a Mac OS X or Linux workstation (for OpenSSL command line tool)
Step 2: On workstation with Mac OS X or Linux
- Generate RSA 4096 private and public keys and save them in “server.keys”.
cd /tmp openssl genrsa -out server.keys 4096
- Create a certificate signing request (CSR) for submission to the certificate authority (CA) and save this CSR in “server.csr”.
cd /tmp openssl req -new -sha256 -key server.keys -out server.csr
- Submit the generated CSR file “server.csr” to the CA.
- Download the CA signed certificate with the complete certificate chain as file “server.pem”.
- Concatenate the file “server.keys” with the file “server.pem” and save the result as “server.txt”
cd /tmp cat server.keys server.pem >server.txt
- Copy the file “server.txt” to the windows workstation (for Step 3)
Step 3: On workstation with Windows (client or server)
- Create a new Domino keyring file “keyfile.kyr” and the password file “keyfile.sth”.
cd /temp kyrtool =c:\Path-To-Notes-Domino-Ini-File\notes.ini create -k keyfile.kyr -p keyring-password
- Import the concatenated file “server.txt” from step 2 into the keyring file
cd /temp kyrtool =c:\Path-To-Notes-Domino-Ini-File\notes.ini import all -k keyfile.kyr -i server.txt
Step 4: Verify the keyring file
- Verify the private/public key
cd /temp kyrtool =c:\Path-To-Notes-Domino-Ini-File\notes.ini show keys -k keyfile.kyr
- Verify the certificates
cd /temp kyrtool =c:\Path-To-Notes-Domino-Ini-File\notes.ini show certs -k keyfile.kyr
Step 5: Install and activate the keyring file
- Copy the keyring files “keyfile.kyr” and “keyfile.sth” to the Domino data directory
- Configure the internet sites using the keyring files
- Restart the Domino server
If you need to convert a P12 (PKCS) file, make sure you use the “-nodes” parameter. If omitted, the private key in the resulting PEM file will be DES encoded, which KyrTool is not able to process.
openssl pkcs12 -in file.p12 -out file.pem -nodes