Create IBM Domino keyring file with SHA-256 signed certificates

The following article my help you with the creation of SHA-256 keyring files for IBM Domino.

Step 1: Verify prerequisites

  • IBM Domino 9.0.1 FP2 IF1 or higher (for SHA-256 support)
  • IBM Domino kyrtool installed (
  • Access to a Mac OS X or Linux workstation (for OpenSSL command line tool)

Step 2: On workstation with Mac OS X or Linux

  • Generate RSA 4096 private and public keys and save them in “server.keys”.
cd /tmp
openssl genrsa -out server.keys 4096
  • Create a certificate signing request (CSR) for submission to the certificate authority (CA) and save this CSR in “server.csr”.
cd /tmp
openssl req -new -sha256 -key server.keys -out server.csr
  • Submit the generated CSR file “server.csr” to the CA.
  • Download the CA signed certificate with the complete certificate chain as file “server.pem”.
  • Concatenate the file “server.keys” with the file “server.pem” and save the result as “server.txt”
cd /tmp
cat server.keys server.pem >server.txt
  • Copy the file “server.txt” to the windows workstation (for Step 3)

Step 3: On workstation with Windows (client or server)

  • Create a new Domino keyring file “keyfile.kyr” and the password file “keyfile.sth”.
cd /temp
kyrtool =c:\Path-To-Notes-Domino-Ini-File\notes.ini create -k keyfile.kyr -p keyring-password
  • Import the concatenated file “server.txt” from step 2 into the keyring file
cd /temp
kyrtool =c:\Path-To-Notes-Domino-Ini-File\notes.ini import all -k keyfile.kyr -i server.txt


Step 4: Verify the keyring file

  • Verify the private/public key
cd /temp
kyrtool =c:\Path-To-Notes-Domino-Ini-File\notes.ini show keys -k keyfile.kyr
  • Verify the certificates
cd /temp
kyrtool =c:\Path-To-Notes-Domino-Ini-File\notes.ini show certs -k keyfile.kyr


Step 5: Install and activate the keyring file

  • Copy the keyring files “keyfile.kyr” and “keyfile.sth” to the Domino data directory
  • Configure the internet sites using the keyring files
  • Restart the Domino server


If you need to convert a P12 (PKCS) file, make sure you use the “-nodes” parameter. If omitted, the private key in the resulting PEM file will be DES encoded, which KyrTool is not able to process.


openssl pkcs12 -in file.p12 -out file.pem -nodes