Configure the server keyring file
The keyring file is a Domino-specific container that holds the private key and certificate for one or more services running on a Domino server. The keyring file also holds the certificates of external services which are trusted to work with the Domino server.
The administration tool that operates on the keyring file is the kyrtool and
ships with Domino.
For this document we installed Domino in the default directory (c:\Program Files\HCL\Domino) and we continue to use the c:\certs directory.
The following commands show:
- How to add the Domino server program directory to PATH so the tool can simply run without entering the full path.
- How to run the
kyrtoolto display the help text.
c:\certs>set PATH=%PATH%;c:\Program Files\HCL\Domino
C:\certs>kyrtool -h
KyrTool v1.2.0
kyrtool [=/path/to/notes.ini] command [subcommand] [flags]
Commands:
create Create a new keyring file
delete Delete a root in a keyring file
import Import into a keyring file
show Show information about a keyring or PEM file
verify <path> Verify the content of a PEM import file
Use 'kyrtool [command] -h' to view help for each command.
The keyring password is stored in the STH file and will be
automatically read when using an existing keyring file.
Create the server keyring file
Use the following command to create a new keyring file, appsdb1.kyr in the
Domino data directory. The command also creates the appsdb1.sth file which
contains an encrypted form of the password to the keyring. Domino requires
both files.
The value specified with the -p 1234 option is the password to the keyring
file.
C:\certs>kyrtool.exe create -k appsdb1.kyr -p 1234
Keyfile appsdb1.kyr created successfully
Import the server private key and certificate chain into the keyring file
The import step requires that the import data is presented in a specific manner:
- The private key must be in an unencrypted form
- The private key and certificate chain are in one file
Use the following command to create the unencrypted version of the server's
private key. The server's private key is in the file appsdb1.key and is
protected with the password 1234. The command creates the unencrypted
private key in the file appsdb1-open.key.
C:\certs>openssl rsa -passin pass:1234 -in appsdb1.key -out appsdb1-open.key
Use the following command to concatenate the contents of the following files
into one file, named temp.dat.
appsdb1-open.key- the unencrypted form of the server's private keyappsdb1.crt- the signed server certificateinternalca.crt- the certificate of the CA that signed the server certificate
C:\certs>copy appsdb1-open.key+appsdb1.crt+internalca.crt temp.dat
appsdb1-open.key
appsdb1.crt
internalca.crt
1 file(s) copied.
Use the kyrtool to import the contents of temp.dat into the keyring like this:
C:\certs>kyrtool.exe import all -i temp.dat -k appsdb1.kyr
Using keyring path 'appsdb1.kyr'
Successfully read 4096 bit RSA private key
SECIssUpdateKeyringPrivateKey succeeded
SECIssUpdateKeyringLeafCert succeeded
It is safe, and good practice, to delete the temporary files, temp.dat and
appsdb1-open.key.
C:\certs>del temp.dat appsdb1-open.key
Inspect the certificates in the keyring file
Use the following command to inspect the certificates in the keyring file:
C:\certs>kyrtool.exe show certs -k appsdb1.kyr
Using keyring path 'appsdb1.kyr'
Certificate #0
Subject: CN=appsdb1/O=Jumbo Cloud Servers
Issuer: CN=Internal Certificate Authority/O=Jumbo Cloud Services
Not Before: 12/04/2019 03:09:02 PM
Not After: 04/17/2021 04:09:02 PM
Public Key Alg: rsaEncryption
Fingerprint: 8pMWz5bm8E0y6tzTySJGGpAeO6JXcXXUUD1IqbFD/UE=
Key length: 4096 bits
Signature Alg: sha256WithRSAEncryption
-----BEGIN CERTIFICATE-----
MIIFSDCCAzCgAwIBAgIUNi30YIkzNcwnHTK4zyeMuDFQWGUwDQYJKoZIhvcNAQEL
.... REMOVED FOR BREVITY ...
MiRDkt6lnLH20Tw6hpiKVXip2pqyFkjXoUxUfn8sVNTC8WTIG931Iq/T0Nlg9ViS
YQZC5dsCiQQWxr0x
-----END CERTIFICATE-----
Certificate #1
Subject: CN=Internal Certificate Authority/O=Jumbo Cloud Services
Issuer: CN=Internal Certificate Authority/O=Jumbo Cloud Services
Not Before: 11/25/2019 08:17:45 AM
Not After: 05/17/2025 09:17:45 AM
Public Key Alg: rsaEncryption
Fingerprint: iIhZiurm4FbUk1r2xJJKOsyW815JBrUZDfyK5skoz4Y=
Key length: 4096 bits
Signature Alg: sha256WithRSAEncryption
-----BEGIN CERTIFICATE-----
MIIFcTCCA1mgAwIBAgIUNlvs6565Pjk1hqOxmIm+nGeKd7AwDQYJKoZIhvcNAQEL
.... REMOVED FOR BREVITY ...
gg3zrtg=
-----END CERTIFICATE-----
Import Let's Encrypt certificate as trusted root
This step configures Domino to trust the IAM service. Domino may use IAM for OAuth Token Introspection. Additional configuration related to this service is later on in this guide.
Use the following command to import the Let's Encrypt certificate into the trust store of the keyring file. Let's Encrypt is the signer of IAM server certificate.
C:\letsencrypt-certs\auth.jumbocloudservices.com>kyrtool import roots -k appsdb1.kyr -i rootchain.crt
Using keyring path 'appsdb1.kyr'
SEC_mpfct_ImportTrustRootToKYR succeeded
Use the following command to inspect and verify the trusted root certificates:
C:\letsencrypt-certs\auth.jumbocloudservices.com>kyrtool.exe show roots -k appsdb1.kyr
Using keyring path 'appsdb1.kyr'
Trust Anchors:
Anchor 0 (name)
CN=DST Root CA X3/O=Digital Signature Trust Co.
Anchor 0 (cert)
Subject: CN=DST Root CA X3/O=Digital Signature Trust Co.
Issuer: CN=DST Root CA X3/O=Digital Signature Trust Co.
Not Before: 09/30/2000 05:12:19 PM
Not After: 09/30/2021 10:01:15 AM
Public Key Alg: rsaEncryption
Fingerprint: Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys=
Key length: 2048 bits
Signature Alg: sha1WithRSAEncryption
Anchor 1 (name)
CN=Let's Encrypt Authority X3/O=Let's Encrypt/C=US
Anchor 1 (cert)
Subject: CN=Let's Encrypt Authority X3/O=Let's Encrypt/C=US
Issuer: CN=DST Root CA X3/O=Digital Signature Trust Co.
Not Before: 03/17/2016 12:40:46 PM
Not After: 03/17/2021 12:40:46 PM
Public Key Alg: rsaEncryption
Fingerprint: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
Key length: 2048 bits
Signature Alg: sha256WithRSAEncryption
Anchor 2 (name)
CN=Internal Certificate Authority/O=Jumbo Cloud Services
Anchor 2 (cert)
Subject: CN=Internal Certificate Authority/O=Jumbo Cloud Services
Issuer: CN=Internal Certificate Authority/O=Jumbo Cloud Services
Not Before: 11/25/2019 08:17:45 AM
Not After: 05/17/2025 09:17:45 AM
Public Key Alg: rsaEncryption
Fingerprint: iIhZiurm4FbUk1r2xJJKOsyW815JBrUZDfyK5skoz4Y=
Key length: 4096 bits
Signature Alg: sha256WithRSAEncryption
...
The list of trusted roots may be longer. But it should contain at least two groups of certificates. One certificate for your Internal Certificate Authority, and second, a group of certificates, for your well-known Certificate Authority. In this case Let's Encrypt. [reference]