This forum is closed to new posts and responses. New discussions are now taking place in the IBM Developer Answers forum.


Nov 26, 2014, 1:25 PM
329 Posts

KYRTOOL error - SECIssUpdateKeyringPrivateKey returned error 0x0720

  • Category: Security
  • Platform: Windows
  • Release: 9.0.1
  • Role: Administrator
  • Tags:
  • Replies: 4

I was able to create my first SHA-2 server certificate yesterday using the new method - OpenSSL for Windows and KYRTOOL. Rough start, but with help it worked great!

Today, I'm attempting to create a certificate for a second server, using the exact same step by step process that I documented yesterday - but running into an error.

Reference:  http://www-10.lotus.com/ldd/dominowiki.nsf/dx/3rd_Party_SHA-2_with_OpenSSL_and_kyrtool

Created the CSR, received the Certificates from my vendor. Created the Keyring file. Made it to step '5b. Verify the input file:'  which seems to work OK, but fails on the next step, '5c. Import the keypair and self-signed certificate:'.

Here is a screenshot of my DOS window:

<snip>

C:\Program Files (x86)\IBM\Notes>kyrtool =notes.ini verify "C:\Users\taylor\Documents\SSL Certificates\xxxxxxxx\xxxxxxxx.txt"

        KyrTool v1.0

Successfully read 4096 bit RSA private key
INFO: Successfully read 3 certificates
INFO: Private key matches leaf certificate
INFO: IssuerName of cert 0 matches the SubjectName of cert 1
INFO: IssuerName of cert 1 matches the SubjectName of cert 2
INFO: Final certificate in chain is self-signed

C:\Program Files (x86)\IBM\Notes>kyrtool =notes.ini import all -k "C:\Users\taylor\Documents\SSL Certificates\xxxxxxxx\xxxxxxxx.kyr" -i "C:\Users\taylor\Documents\SSL Certificates\xxxxxxxx\xxxxxxxx.txt"

Using keyring path 'C:\Users\taylor\Documents\SSL Certificates\xxxxxxxx\xxxxxxxx.kyr'
Successfully read 4096 bit RSA private key
SECIssUpdateKeyringPrivateKey returned error 0x0720

Syntax error in OID

C:\Program Files (x86)\IBM\Notes>

</snip>

Ideas?

Thanks!

Nov 26, 2014, 2:41 PM
91 Posts
Try importing everything one by one
See Link for a good explanation on how to import the private key, the intermediate certs, and then the server cert one by one. That worked for me after getting this error.

Howard
Nov 26, 2014, 3:22 PM
329 Posts
That is TOO funny!

I had literally just imported each individually, and it appears to have worked. I was coming back to update my post. The link that you posted doesn't work for me, but in case anyone else sees this issue - these are the commands that I used:

kyrtool =notes.ini import keys -k "xxxxxxxx.kyr" -i "xxxxxxxx.key" -n CN=www.xxxxxxxx.com

kyrtool =notes.ini import certs -k "xxxxxxxx.kyr" -i "www_xxxxxxxx_com.crt"

kyrtool =notes.ini import certs -k "xxxxxxxx.kyr" -i "\yyyyyyyyCA.crt"

kyrtool =notes.ini import certs -k "xxxxxxxx.kyr" -i "TrustedRoot.crt"

 

The subsequent 'show keys' and 'show certs' looks fine - so I was going to give this keyring a try tonight and see if it flies.

(Famous last words) What's the worst that can happen?

 

Howard, can you confirm these steps look correct?

Thanks, Again!

Nov 28, 2014, 6:10 PM
91 Posts
two things
I did not use the -n parameter at all.

And, I used the import -roots to import the intermediate certificates. I guess since I use Notes to read this forum (what else!) and my doc link did not work I copied Gilbert's steps. However, in step 1 I did not use the  -n parameter.

Howard

I had the same issue with our new RapidSSL certificate. Try to import step by step and not all together in one file:
1.        Import keys
kyrtool ="C:\Notes\notes.ini" import keys  -k "C:\Notes\Data\keyring.kyr" -i "C:\Notes\Data\server.key" -n "CN=my.domain.com"

2.        Import roots
kyrtool ="C:\Notes\notes.ini" import roots -k "C:\Notes\Data\keyring.kyr" -i "C:\Notes\Data\root.pem"
kyrtool ="C:\Notes\notes.ini" import roots -k "C:\Notes\Data\keyring.kyr" -i "C:\Notes\Data\intermediateroot.pem"

3.        Import cert
kyrtool ="C:\Notes\notes.ini" import certs -k "C:\Notes\Data\keyring.kyr" -i "C:\Notes\Data\server.pem"

Regards,

Gilbert

Dec 1, 2014, 9:09 AM
329 Posts
Seems to be working...

i should have read the kyrtool 'documentation' a little better!

;-)

It's working using the steps that I performed, but I might make it a point to re-run it using the method you described.

It's be nice if we could get some feedback on the error: 'SECIssUpdateKeyringPrivateKey returned error 0x0720'...

And thanks again (and again) for the assistance!


This forum is closed to new posts and responses. New discussions are now taking place in the IBM Developer Answers forum.