Aug 13, 2015 9:04 AM
281 Posts

KYRTOOL error - SECIssUpdateKeyringPrivateKey returned error 0x0720 - Syntax error in OID

  • Category: Security
  • Platform: Windows
  • Release: 9.0.1
  • Role: Administrator
  • Tags:
  • Replies: 4

It's time to renew my expiring SSL certificates, and as I walk thru the process described  here -> http://www-10.lotus.com/ldd/dominowiki.nsf/dx/3rd_Party_SHA-2_with_OpenSSL_and_kyrtool , I'm still receiving KYRTool error "KYRTOOL error - SECIssUpdateKeyringPrivateKey returned error 0x0720" when importing the certificate(s) in step 6.

My first attempt in November I also received this error (described here) -> http://www-10.lotus.com/ldd/ndseforum.nsf/xpTopicThread.xsp?documentId=674289CE50B9FA4D85257D9C006535E6#6211210C9CA25C3685257D9C006C282A

..but no-one has ever come back with the actual fix or description of what I'm doing wrong.

So, what am I doing wrong?

Aug 13, 2015 12:13 PM
191 Posts
Looks like some component of the certificate is bad
Try running this OpenSSL command on the certificate:

OpenSSL> x509 -in c:\temp\keys\server.crt -text -noout -nameopt "esc_2253, esc_ctrl, esc_msb, utf8, dump_nostr, dump_der, use_quote, sep_comma_plus_space, space_eq, oid, dump_unknown"

This causes portions of the certificate to be displayed with the OID instead of the default short name. The error indicates there's a problem with one or more of them. I don't have one with unrecognized OIDs, so I don't know what dump_unknown will provide, but presumably it should identify the bad ones. Here's what a portion of good data looks like:

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            ff:31:b2:d0:c2:e1:02:c4
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: 2.5.4.6 = US, 2.5.4.8 = Texas, 2.5.4.7 = Round Rock, 2.5.4.10 =
Acme, 1.2.840.113549.1.9.1 = nobody@acme.com
        Validity
            Not Before: Aug 13 14:46:11 2015 GMT
            Not After : Aug 10 14:46:11 2025 GMT
        Subject: 2.5.4.6 = US, 2.5.4.8 = Texas, 2.5.4.7 = Round Rock, 2.5.4.10 =
 Acme, 2.5.4.3 = server.acme.com, 1.2.840.113549.1.9.1 = nobody@acme.com

An OID reference can be found here: https://technet.microsoft.com/en-us/library/cc772812%28WS.10%29.aspx.
Aug 13, 2015 2:47 PM
281 Posts
Thanks for the updates...

Chad - This is the same error that I received using KYRTool V1.0 back in November, but, just as in November, running the 4 KYRTool commands separately were successful.

However, I ran the command - here are my results:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0c:09:ce:ba:17:86:81:cf:f5:d5:aa:82:cd:02:b9:09
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: 2.5.4.6 = US, 2.5.4.10 = DigiCert Inc, 2.5.4.11 = www.digicert.c
om, 2.5.4.3 = DigiCert SHA2 Extended Validation Server CA
        Validity
            Not Before: Aug 12 00:00:00 2015 GMT
            Not After : Nov  9 12:00:00 2017 GMT
        Subject: 2.5.4.15 = Private Organization, 1.3.6.1.4.1.311.60.2.1.3 = #13
025553, 1.3.6.1.4.1.311.60.2.1.2 = #130844656C6177617265, 2.5.4.5 = <serial>, 2.5
.4.9 = <address>, 2.5.4.17 = <zip>, 2.5.4.6 = US, 2.5.4.8 = <State>, 2.5.4
.7 = <city>, 2.5.4.10 = <my company>, 2.5.4.3 = <server common name>

 

Graham - I'll grab IF3 and see what happens!

 

Thanks!

Aug 13, 2015 4:41 PM
281 Posts
Installed IF3 for FP3 and it appears to have solved both issues!

Installed IF3 for FP3 and it appears to have solved both the 0x0720 as well as the subsequent crash!

We'll see what happens tonight when I try to use the new certificate!

Thanks, Graham!!