IBM Support

Merge Wildcard SSL PFX file for Domino SSL using OpenSSL and kyrtool

Question & Answer


How can we bypass creating a certificate signing request(CSR) for the certificate authority(CA), and create a Domino SSL keyring that uses an existing wildcard certificate?


A private key for an SSL certificate is unique to that particular key pair.

When generating the certificate signing request for a Certificate Authority(CA), a public key is part of the request, which corresponds to the private key in use.

If a different key pair is used, It will have a different private key, so the public key contained in the CA signed certificate will not match what is expected.

You must have the private key available to be able to import the certificate.


You need to get a PFX file of the wildcard certificate that you will use for Domino. This contains the private key of the certificate. You must also know the password for that PFX file. The pfx is usually a windows format.

Step 1 From the files below, You will copy the PFX file(with password) to the Bin folder of my OpenSSL. Rename the PFX file to: "wildcard.pfx"

In CMD, go to the path where you installed OpenSSL, under bin folder do this commands:

"openssl pkcs12 -in wildcard.pfx -nocerts -out key.pem -nodes" -This command will generate the PEM file that will be used to create the server.key

"openssl pkcs12 -in wildcard.pfx -nokeys -out cert.pem" -This command will generate the PEM files used for the merging of certificates

"openssl rsa -in key.pem -out server.key" -This will generate the server.key to be used for concatenation

"type server.key cert.pem>server.txt" -This will create the server.txt that will be imported in the keyring


Step 2. Create a new keyring file using the kyrtool.
Go to the path of your Notes/Domino Program directory where you placed the kyrtool and type in the command as shown below.
In this screenshot, the kyrtool is placed inside the Domino program directory.

Step 5.

Step 5a Place the "server.txt"(from the Bin folder of your OpenSSL) where the keyring is stored. From Step 2, the keyring is stored inside the "C:\ drive"

Step 5b. Verify using the command as shown below

Step 5c. Import the keypair and the certificate using the command below

Step 6. Examine the resulting keyring file

Step 7. Copy over your new keyring and sth file from the "C:\ drive" to Domino Data directory
Back up your old .kyr and .sth files, copy over your new keyring and stash files, update the keyring file names in the server document/internet site and restart the task http.

Internal Use Only

This issue has been reported to Quality Engineering as an enhancement request SPR# NORK5SRMLS. Currently Domino does not provide functionality for exporting private keys from the key ring file on a Domino server. Domino can't use Wildcard SSL certificates from other non-Domino servers if the Certificate Signing Request doesn't come from Domino itself. The steps above help you use these SSL certificates by bypassing the CSR process.

Wildcard SSL certificates(private and public keys) from non-Domino servers can be exported so that Domino can import them in a keyring via the KYRTool

[{"Product":{"code":"SSKTMJ","label":"IBM Domino"},"Business Unit":{"code":"BU003","label":"Collaboration Solutions"},"Component":"Web Server","Platform":[{"code":"PF033","label":"Windows"}],"Version":"9.0.1;9.0","Edition":"Social Edition;All Editions"}]

Document Information

Modified date:
07 September 2018