Hello,
Does anyone know how to export or view the private key in text or PEM format from the keyfile.kyr file?
I have been having a hard time finding any solutions…Also tried using KeyMan with no luck.
Thank you!!!
Subject: View / Export Private Key in keyfile.kyr
-
To the best of my knowledge, you’re just SOL on this score, in the name of security.- It’s an understandable stance, but annoying when one has to pay a third party for a key set because Domino won’t let the key be exported to send it to the other server for SSL mutual authentication. (shrug)
-
I’d be happy as a clam for someone to tell me I’m wrong … I could stop renewing the third-party key and use Domino’s.
-
Hope this helps…
Subject: RE: View / Export Private Key in keyfile.kyr
I’ve done a lot of testing, hacking, etc. and can’t get anything to work (I support WebSphere and have access to ikeyman). They .kdb and .kyr files are VERY close…but not quite the same. Two of the following articles say it’s NOT possible, but the third seems to contradict the others:
"Problem
Is it possible to extract or export the private key from a Domino key ring file (*.KYR)? For example, you’ve included a VeriSign certificate in a Lotus Domino server’s key ring file and wish to share its private key with another non-Domino Web server. Or another example would be if you wish to use Microsoft’s Internet Security and Acceleration (ISA) Server, which uses an exported private key to serve SSL from the Web server(s) behind it.
Solution
This issue has been reported to Quality Engineering as an enhancement request. Currently Domino does not provide functionality for exporting private keys from the key ring file on a Domino server."
http://www-12.lotus.com/ldd/doc/uafiles.nsf/docs/s390509/$File/connector.pdf
"Note: Although the IKEYMAN utility provides an option to convert existing (from previous
releases) keyring files (*.kyr file) to its key database format, IKEYMAN can not be used to
migrate a Domino SSL keyring file to be used as an IBM HTTP Server key database. The
format of a Domino keyring file is not the same as the format that IKEYMAN can convert.
Also, the Domino Server Certificate Management application does not provide an option for
exporting an existing server key and certificate. Because of this, it is not possible to reuse a
server key and certificate that you may have previously obtained for configuring Domino’s built
in HTTP task for SSL connections. You will need to set up a new key and certificate for the
IBM HTTP Server."
http://www-1.ibm.com/support/docview.wss?uid=swg21174641
“With a certificate manager tool appropriate to the key file types, extract the personal certificate from the Domino key file store (such as ikeyman as shipped with IBM HTTP Server for Domino’s key store.)”
Subject: Solution: Export Private Key in keyfile.kyr
In case someone else finds this post that needs it, after seeing the post here:http://www-10.lotus.com/ldd/nd8forum.nsf/DateAllFlatWeb/6208adc5e5e12b0885257721004f83e7?OpenDocument
The program to do the actual export is available at:
ftp://ftp.software.ibm.com/software/lotus/tools/Domino/gsk5-ikeyman.zip
Download and extract (I found I needed to extract to the ROOT of C drive, ie: c:\ikeyman\ for things to work). Make sure to READ the readme.txt (only a few steps) and it worked great.