It’s time to renew my expiring SSL certificates, and as I walk thru the process described here → http://www-10.lotus.com/ldd/dominowiki.nsf/dx/3rd_Party_SHA-2_with_OpenSSL_and_kyrtool http://www-10.lotus.com/ldd/dominowiki.nsf/dx/3rd_Party_SHA-2_with_OpenSSL_and_kyrtool , I’m still receiving KYRTool error “KYRTOOL error - SECIssUpdateKeyringPrivateKey returned error 0x0720” when importing the certificate(s) in step 6.
My first attempt in November I also received this error (described here) → http://www-10.lotus.com/ldd/ndseforum.nsf/xpTopicThread.xsp?documentId=674289CE50B9FA4D85257D9C006535E6#6211210C9CA25C3685257D9C006C282A http://www-10.lotus.com/ldd/ndseforum.nsf/xpTopicThread.xsp?documentId=674289CE50B9FA4D85257D9C006535E6#6211210C9CA25C3685257D9C006C282A
…but no-one has ever come back with the actual fix or description of what I’m doing wrong.
So, what am I doing wrong?
Subject: Looks like some component of the certificate is bad
Try running this OpenSSL command on the certificate:
OpenSSL> x509 -in c:\temp\keys\server.crt -text -noout -nameopt “esc_2253, esc_ctrl, esc_msb, utf8, dump_nostr, dump_der, use_quote, sep_comma_plus_space, space_eq, oid, dump_unknown”
This causes portions of the certificate to be displayed with the OID instead of the default short name. The error indicates there’s a problem with one or more of them. I don’t have one with unrecognized OIDs, so I don’t know what dump_unknown will provide, but presumably it should identify the bad ones. Here’s what a portion of good data looks like:
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
ff:31:b2:d0:c2:e1:02:c4
Signature Algorithm: sha256WithRSAEncryption
Issuer: 2.5.4.6 = US, 2.5.4.8 = Texas, 2.5.4.7 = Round Rock, 2.5.4.10 =
Acme, 1.2.840.113549.1.9.1 = nobody@acme.com
Validity
Not Before: Aug 13 14:46:11 2015 GMT
Not After : Aug 10 14:46:11 2025 GMT
Subject: 2.5.4.6 = US, 2.5.4.8 = Texas, 2.5.4.7 = Round Rock, 2.5.4.10 =
Acme, 2.5.4.3 = server.acme.com, 1.2.840.113549.1.9.1 = nobody@acme.com
An OID reference can be found here: Managing Subject Relative Distinguished Names in the Certificate Subject | Microsoft Learn https://technet.microsoft.com/en-us/library/cc772812(WS.10).aspx.
Subject: Have you upgradedd your Notes to
Can you confirm your version of Notes & Domino
The original error was reported to development under SPR DKEN9RVQGD and resolved in Notes 9.0.1 FP3 IF3
http://www-01.ibm.com/support/docview.wss?uid=swg21657963 http://www-01.ibm.com/support/docview.wss?uid=swg21657963
Subject: Installed IF3 for FP3 and it appears to have solved both issues!
Installed IF3 for FP3 and it appears to have solved both the 0x0720 as well as the subsequent crash!
We’ll see what happens tonight when I try to use the new certificate!
Thanks, Graham!!
Subject: Thanks for the updates…
Chad - This is the same error that I received using KYRTool V1.0 back in November, but, just as in November, running the 4 KYRTool commands separately were successful.
However, I ran the command - here are my results:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0c:09:ce:ba:17:86:81:cf:f5:d5:aa:82:cd:02:b9:09
Signature Algorithm: sha256WithRSAEncryption
Issuer: 2.5.4.6 = US, 2.5.4.10 = DigiCert Inc, 2.5.4.11 = www.digicert.c http://www.digicert.c
om, 2.5.4.3 = DigiCert SHA2 Extended Validation Server CA
Validity
Not Before: Aug 12 00:00:00 2015 GMT
Not After : Nov 9 12:00:00 2017 GMT
Subject: 2.5.4.15 = Private Organization, 1.3.6.1.4.1.311.60.2.1.3 = #13
025553, 1.3.6.1.4.1.311.60.2.1.2 = #130844656C6177617265, 2.5.4.5 = , 2.5
.4.9 = , 2.5.4.17 = , 2.5.4.6 = US, 2.5.4.8 = , 2.5.4
.7 = , 2.5.4.10 = , 2.5.4.3 =
Graham - I’ll grab IF3 and see what happens!
Thanks!