KYRTOOL error - SECIssUpdateKeyringPrivateKey returned error 0x0720

HCL Domino Domino Forum
1

I was able to create my first SHA-2 server certificate yesterday using the new method - OpenSSL for Windows and KYRTOOL. Rough start, but with help it worked great!

Today, I’m attempting to create a certificate for a second server, using the exact same step by step process that I documented yesterday - but running into an error.

Reference: http://www-10.lotus.com/ldd/dominowiki.nsf/dx/3rd_Party_SHA-2_with_OpenSSL_and_kyrtool http://www-10.lotus.com/ldd/dominowiki.nsf/dx/3rd_Party_SHA-2_with_OpenSSL_and_kyrtool

Created the CSR, received the Certificates from my vendor. Created the Keyring file. Made it to step ‘5b. Verify the input file:’ which seems to work OK, but fails on the next step, ‘5c. Import the keypair and self-signed certificate:’.

Here is a screenshot of my DOS window:

C:\Program Files (x86)\IBM\Notes>kyrtool =notes.ini verify “C:\Users\taylor\Documents\SSL Certificates\xxxxxxxx\xxxxxxxx.txt”

KyrTool v1.0

Successfully read 4096 bit RSA private key
INFO: Successfully read 3 certificates
INFO: Private key matches leaf certificate
INFO: IssuerName of cert 0 matches the SubjectName of cert 1
INFO: IssuerName of cert 1 matches the SubjectName of cert 2
INFO: Final certificate in chain is self-signed

C:\Program Files (x86)\IBM\Notes>kyrtool =notes.ini import all -k “C:\Users\taylor\Documents\SSL Certificates\xxxxxxxx\xxxxxxxx.kyr” -i “C:\Users\taylor\Documents\SSL Certificates\xxxxxxxx\xxxxxxxx.txt”

Using keyring path ‘C:\Users\taylor\Documents\SSL Certificates\xxxxxxxx\xxxxxxxx.kyr’
Successfully read 4096 bit RSA private key
SECIssUpdateKeyringPrivateKey returned error 0x0720

Syntax error in OID

C:\Program Files (x86)\IBM\Notes>

Ideas?

Thanks!

2

Subject: That is TOO funny!

I had literally just imported each individually, and it appears to have worked. I was coming back to update my post. The link that you posted doesn’t work for me, but in case anyone else sees this issue - these are the commands that I used:

kyrtool =notes.ini import keys -k “xxxxxxxx.kyr” -i “xxxxxxxx.key” -n CN=www.xxxxxxxx.com

kyrtool =notes.ini import certs -k “xxxxxxxx.kyr” -i “www_xxxxxxxx_com.crt”

kyrtool =notes.ini import certs -k “xxxxxxxx.kyr” -i “\yyyyyyyyCA.crt”

kyrtool =notes.ini import certs -k “xxxxxxxx.kyr” -i “TrustedRoot.crt”

The subsequent ‘show keys’ and ‘show certs’ looks fine - so I was going to give this keyring a try tonight and see if it flies.

(Famous last words) What’s the worst that can happen?

Howard, can you confirm these steps look correct?

Thanks, Again!

3

Subject: two things

I did not use the -n parameter at all.

And, I used the import -roots to import the intermediate certificates. I guess since I use Notes to read this forum (what else!) and my doc link did not work I copied Gilbert’s steps. However, in step 1 I did not use the -n parameter.

Howard

I had the same issue with our new RapidSSL certificate. Try to import step by step and not all together in one file:

  1. Import keys
    kyrtool =“C:\Notes\notes.ini” import keys -k “C:\Notes\Data\keyring.kyr” -i “C:\Notes\Data\server.key” -n “CN=my.domain.com

  2. Import roots
    kyrtool =“C:\Notes\notes.ini” import roots -k “C:\Notes\Data\keyring.kyr” -i “C:\Notes\Data\root.pem”
    kyrtool =“C:\Notes\notes.ini” import roots -k “C:\Notes\Data\keyring.kyr” -i “C:\Notes\Data\intermediateroot.pem”

  3. Import cert
    kyrtool =“C:\Notes\notes.ini” import certs -k “C:\Notes\Data\keyring.kyr” -i “C:\Notes\Data\server.pem”
    Regards,

Gilbert

4

Subject: Seems to be working…

i should have read the kyrtool ‘documentation’ a little better!

:wink:

It’s working using the steps that I performed, but I might make it a point to re-run it using the method you described.

It’s be nice if we could get some feedback on the error: ‘SECIssUpdateKeyringPrivateKey returned error 0x0720’…

And thanks again (and again) for the assistance!

5

Subject: Try importing everything one by one

See Link Notes://Notes1/85257B35003DD001/8178B1C14B1E9B6B8525624F0062FE9F/D2740AD496F581A285257D94002EC1FB for a good explanation on how to import the private key, the intermediate certs, and then the server cert one by one. That worked for me after getting this error.

Howard