Converting from OpenSSL to Domino KeyFile

For a proof of concept, I was working on, I had to convert a PrivateKey/SSL Certificate to an IBM Domino Keyfile Format.

Using OpenSSL, my teammate generated a Certificate Request for an SSL Certificate. Once he had the real certificate, I downloaded the private key and the certificate files from the Certificate request, so I could get them in the right format.

I named the private key Wild.key and the received certificate WildCert.cert. From there, I did the following to get it into the PKCS12 format:
openssl pkcs12 -export -inkey Wild.key -in WildCert.cert -name c2wildcard -out wild.p12

When prompted, enter a password, such as passw0rd.

Download the latest IBM iKeyMan, it’s in the IBM Http Server Package. Make sure this is the one from the most recent IBM Http Server

Now that it was in the PKCS12 format, I launched iKeyMan

Open a new Terminal Window
Type locate ikeyman
Launch ikeyman

Then I created a new Key Database file (wild.kdb)
I imported the wild.p12 database.

I saved the KeyDatabase with Stash File and password
Click File > Exit

Now, here is the trick to convert it to the Domino KYR format.
Startup your OLD Windows XP VM
Extract the zip to c:\
Run register command (as specified in the bat file)
Launch ikeyman in the bin directory for gsk5

Click File > Open
Enter the password designated above
Click File > Save As
Select KYR format

*Copy the KYR file to your Domino Server and the Stash File you just generated for the kdb.

Then follow

Steps to configure SSL on the server:
1. Verify that the key ring files created previously are in the Data directory of the Domino server.
2. Open the Server document for this server. Go to the Ports -> Internet Ports tab.
3. If necessary, change the entry in the SSL key file name field to reflect the name of the server key ring file.
4. Make sure that SSL port status is set to enabled. Optionally, to force SSL to be used for all connections, change “TCP/IP Port Status” to “Redirect to SSL.”
5. Save and close the Server document.
6. Restart the HTTP task at the server console.

Join the Conversation

1 Comment

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.