Creating SSL Certificate for Domino: 2020 Edition

Or TLS, etc… haha

This is a question that comes up often and I have been meaning to post the commands that I use to do this these days. In a nutshell, you need to have the IBM KyrTool loaded as well as OpenSSL. The commands below assume Windows, but should be fairly platform agnostic. For the KyrTool, if you’re using Windows with Lotus Notes 32-bit, you should unzip the kyrtool.exe file into the Notes Program Directory. Below, the commands are in bold. It may appear to be a lot, but it’s really straightforward!

For New Certificate Requests

  1. Go to the OpenSSL bin directory in a command prompt window
  2. openssl genrsa -out “c:\temp\hostname\keyfile_hostname.key” 4096 (This generates a 4096 bit keyfile)
  3. openssl req -new -sha256 -key “c:\temp\hostname\keyfile_hostname.key” -out “c:\temp\hostname\keyfile_hostname.csr” (This creates a Certificate Signing Request based off of sha256 from the keyfile created in step 2. This will bring up a set of questions with the locale and subject information that you will need to provide.)
  4. Open the CSR in text editor and remove the last line (for some reason there’s a blank line, I know that GoDaddy specifically has issues with a csr file with a blank line at the end. The last line should be the one with —–END CERTIFICATE REQUEST—–“
  5. Send your CSR to your Certificate Provider
  6. You’ll soon receive the certificate file(s) back from your Certificate Provider (This usually contains the Server Certificate file as well as an intermediary/trusted root certificate bundle)
  7. Go to the Notes Program Directory in a command prompt window
  8. kyrtool =”C:\Program Files (x86)\IBM\Notes\notes.ini” create -k “c:\temp\hostname\keyfile_hostname.kyr” -p P@ssword2020 (This will generate the Domino KYR and STH files that you will place in the server’s data directory later)
  9. Import keys, roots, and cert into kyr.
    1. kyrtool =”C:\Program Files (x86)\IBM\Notes\notes.ini” import keys -k “c:\temp\hostname\keyfile_hostname.kyr” -i “c:\temp\hostname\keyfile_hostname.key”
    2. kyrtool =”C:\Program Files (x86)\IBM\Notes\notes.ini” import roots -k “c:\temp\hostname\keyfile_hostname.kyr” -i “c:\temp\hostname\gd_bundle-g2-g1.crt”
    3. kyrtool =”C:\Program Files (x86)\IBM\Notes\notes.ini” import certs -k “c:\temp\hostname\keyfile_hostname.kyr” -i “c:\temp\hostname\ServerCertificate.crt”
  10. Optional: Verify the Keys: kyrtool =”C:\Program Files (x86)\IBM\Notes\notes.ini” show keys -k “c:\temp\hostname\keyfile_hostname.kyr”
  11. Optional: Verify the Certificate: kyrtool =”C:\Program Files (x86)\IBM\Notes\notes.ini” show certs -k “c:\temp\hostname\keyfile_hostname.kyr”
  12. Copy the KYR and STH files into your Domino Server’s data directory. You should also have an Internet Sites document in the Domino Directory for the website that should point to the location of this file
  13. In a Domino Console Window, issue the following command: TELL HTTP REFRESH
  14. Test by going to the site and validating that it’s secure

For Certificate Renewal Requests

Once you’ve done the above, you will be able to easily renew the certificate by just going to your Certificate Provider’s portal and choosing the option to renew the certificate. Then you just need to do the following:

  1. Copy the KYR file to your local computer.
  2. With the received crt files from the renewal, just do step 9.3 above to add the renewed crt file:
    1. kyrtool =”C:\Program Files (x86)\IBM\Notes\notes.ini” import certs -k “c:\temp\hostname\keyfile_hostname.kyr” -i “c:\temp\hostname\ServerCertificate.crt”
  3. Copy the KYR file back into your Domino Server’s data directoy
  4. In a Domino Console Window, issue the following command: TELL HTTP REFRESH
  5. Test by going to the site and validating that it’s secure

An Automated Approach

One other solution that many are using is Let’s Encrypt. There is a utility to do this for Domino available here: https://www.midpoints.de/en-solutions-LE4D. I have not used this, personally, but it is another great option!

If you have any questions, feel free to comment below! Thanks!

10 thoughts on “Creating SSL Certificate for Domino: 2020 Edition

  1. Hello,
    Getting “Import Key pDN CN=example.com/O=FakeDomain” when importing keys to .kyr file (STEP 9). I have entered correct details while creating CSR. Any idea?

    Like

  2. Hi, This is from command prompt:

    C:\Program Files (x86)\IBM\Notes>kyrtool import keys -k “C:\temp\CertKeys\keyfile_X.kyr” -i “C:\temp\CertKeys\keyfile_X.key”

    Using keyring path ‘C:\temp\CertKeys\keyfile_X.kyr’
    Successfully read 4096 bit RSA private key
    Import Key pDN CN=example.com/O=FakeDomain
    SECIssUpdateKeyringPrivateKey succeeded

    Liked by 1 person

    1. Ahh… I believe that I have seen that. I think it is a bug with the way that the kyrtool generates its output. You should be good to proceed to steps 9.2 and 9.3. If there was a problem with the key that you input, then step 9.3 would fail.

      Like

  3. ohh great. yes I actually completed next steps successfully but was having doubt if that is something to worry.
    Thanks a ton.
    Just to update KYRtool no more available on IBM fix central, Found it on,
    https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0074766&sys_kb_id=8ea76f161bca845883cb86e9cd4bcb82

    One more question, Any idea how to find and remove existing SHA1 cert added on Domino server previously (linked to scontroller process). I cannot find any previous KYR/STH files and do not have any other details than port and CN for cert.

    Like

  4. Thank you for sharing this information. Invaluable that I don’t have to do ALL of the steps again that I performed the first time I did this.

    Carleen
    Domino Developer and Reluctant Domino admin

    Like

  5. Are there any changes I need to make in procedure since going to Notes 10? I followed our past procedure (using Domino 9) and it failed. It’s exactly like yours above except the import order…..The order I’ve been doing is roots, keys, then certs (which has worked in the past).

    Like

  6. I tried to renew a certificate using step 9.3. It says “SECIssUpdateKeyringLeafCert succeeded”, but when I issue the show certs command, it keeps showing the old server certificate that will expire. Only the intermediate and root certificate are updated. It seems to ignore the actual server certificate but gives no warning or error. Anything I can check?

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s