I have an existing SSL-private-key, the CSR and the certificate signed by Thawte. The whole creation of the certificate did not happen within Domino’s “Server Certificate Admin”-DB, as the certificate was intended to be used by another webserver.
I now want to use this certificate with our Domino-webserver.
I created a keystore with Domino and imported Thawte’s Root-CA. I then try to import the certificate. The certificate is being recognized, but when merging the certificate into the keyring I get an error message: “No private key exists for this certificate”.
How can I import the private key into the keyring? Is it possible to get my certificate into Domino’s keyring-file?
I also tried “KeyMan” (http://alphaworks.ibm.com/tech/keyman) to manipulate the keyfile.kyr, but afterwards Domino doesn’t accept this file as valid keyring.
Can anybody give me any hints? All help is appreciated!!!
Not possible as far as I can tell. Domino creates a keypair when you create a .kyr file, there’s no way to replace it from within the Server Certificate Administration interface, and there are no external tools that can edit a .kyr file to replace it. I’m trying to import a wildcard SSL certificate and having no luck at all…
The solution to this is to have the certificate reissued by the third-party CA.
Create a new keyring (with certsrv.nsf) and generate the CSR (using wildcard notation for the common name) then contact your third-party CA to have them reissue the cert in the different platform format.
This does not invalidate the original cert you created on the first platform. It’s only a reissue of the cert (certificate chain, expiration dates, etc. remain unchanged for the certificate).
Some third-party CAs may have restrictions on this (or charge for it maybe) but we’ve done this very thing with wildcard certificates from Thawte, Verisign and Digicert and never been charged anything for it.
Make sure you extract the zip file in a directory without spaces, run the batch setup file, and launch it. What I did was create a .kyr file in Domino (so it has the prepopulated root certs and a matching .sth file), then loaded it into IKEYMAN. Convert your SSL certificate and key into a PKCS12 file with the following command:
Then you can use the Import/Export button in IKEYMAN to import the p12 file. Exit, edit your server config document to point to the .kyr file, and you’re done. When Domino creates a key from the Server Certificate Admin database, it calls it KeyPair, but you can’t control the name IKEYMAN gives the key when you import it. Luckily, Domino’s https module doesn’t seem to care what the key is called. It accepted my imported wildcard certificate with no complaints.
Also, the technote claims that the program won’t work under Windows Server 2003, but what doesn’t work is IBM’s bundled jre-1.1.8. With a little work I extracted the jre comandline and launched it with Sun’s jre-1.6.0_07 just fine. Or, you could just do the manipulation on an XP desktop machine using the bundled jre.
Hey,I am facing the same problem at the moment and I am very glad you found a solution! But I have a question about the openssl command:
The .key file is the certificate you got from the CA, right? But what about the cert.crt? Where do I get this from? I always get this error message: unable to load private key
Actually, the file you get from the CA should be the certificate. It would be a security risk if they held your private key. You should already have the private key, since the order of operation is:
generate private key, create certificate request and send to CA, receive signed certificate from CA
Depending on how you generated your private key in the first place, it may be
(openssl) in a .key file
(java keytool) in a keystore file
(Domino) in a .kyr file
(Windows, or Netscape certutil) in a pkcs12 file
You can use ikeyman to open the last three file formats and export the key.
where: cert.key – file with private key (BEGIN RSA PRIVATE KEY), cert.crt – file with cert (BEGIN CERTIFICATE), KeyPair – label for the output key (Domino prefers such label, but not sure, if it crucial).
with help of ikeyman (from gsk5) I did import the p12 key into keyfile.kyr (Domino’s one) in Personal keys part. But here I met with hang-up issues of ikeyman. ikeyman just hang-up during import. I killed process, and repeat import (without deleting the temporary generated by ikeyman files). Usually it worked out on the second try. )
Domino’s kyr-file you usually get with existing cert request (and private key). I did delete it with help of ikeman.
and that’s all, these manipulations make able Domino use cert from kyr-file for HTTPS-conncetions.
All manipulations were made on Win XP (virtual one).