Toby J Heikkila commented on Feb 23, 2016

Re: Generating a keyring file with a third party CA SHA-2 cert using OpenSSL and KYRTool on a Windows workstation

Importing the intermediate certs did not give any feedback, but the first one worked, second did not. Second time we imported, second intermediate cert said successful. First one still did not give any response but worked both times. I checked, no typos, etc. So, I guess if it doesn't work the first time, just do it again. Interesting tool....

Christian Kroell commented on Oct 22, 2015

Re: Generating a keyring file with a third party CA SHA-2 cert using OpenSSL and KYRTool on a Windows workstation

Thank you for the step-by-step procedure. I encountered a problem with the order of the certificates in step 6a - Option 2:

I tried the order as presented here, but without success. Step 7 throwed an error. ("no certs found")

I changed the order as follows:

1. server key file

2. signed server certificate

3. first intermediate certificate

4. second intermediate

5. root certificate

With this order I could finish the procedure successfully.

Dave Kern commented on Aug 18, 2015

Re: Generating a keyring file with a third party CA SHA-2 cert using OpenSSL and KYRTool on a Windows workstation

@Stuart Hickson - As stated in step 4, you can request a certificate signed with SHA-384 or SHA-512 from most CAs just as easily as one signed with SHA-256. These steps will work fine for SHA-1, SHA-256, SHA-384, or SHA-512, although we would recommend against creating any new keyring files using SHA-1 for the obvious reasons. The algorithm used to sign the certificate request (SHA-256 in step 3 of this example) is not related to the signature algorithm in the final certificate. However, many CAs do not currently support certificate requests using SHA-384 or SHA-512 yet, so SHA-256 is a safer choice for step 3 at the moment.

Stuart Hickson commented on Jul 21, 2015

Re: Generating a keyring file with a third party CA SHA-2 cert using OpenSSL and KYRTool on a Windows workstation

Is there a reason why you only use SHA256 and not SHA384 or SHA512?

sean cull commented on May 20, 2015

Re: Generating a keyring file with a third party CA SHA-2 cert using OpenSSL and KYRTool on a Windows workstation

Note at step 1b on Windows if you get error unable to write 'random state' then you need to run openssl as Administrator

Christian ROSE commented on Feb 9, 2015

Re: Generating a keyring file with a third party CA SHA-2 cert using OpenSSL and KYRTool on a Windows workstation

Thank you for this process which perfectly worked for my first certificate in SHA-2.

Dave Brown commented on Feb 8, 2015

Re: Generating a keyring file with a third party CA SHA-2 cert using OpenSSL and KYRTool on a Windows workstation

@James Hatfield - nope. Here is IBM's more elaborate wording: This is not possible since releases prior to Domino 9.0 lack the cryptographic infrastructure for SHA-2.

James Hatfield commented on Jan 27, 2015

Re: Generating a keyring file with a third party CA SHA-2 cert using OpenSSL and KYRTool on a Windows workstation

I've created a Keyring via this process for a server which we're about to migrate to 9.01. However, the current certificate expires possibly before this will happen. Is the Keyring I've generated still usable on an 8.5.2 server?