How to export the private key from a Domino keyfile by using IKEYMAN
How can you use the IBM Key Management (IKEYMAN) tool to export the private key from the key ring file (*.kyr) of a IBM® Domino® server?
You can use the IBM Key Management (IKEYMAN) tool for many tasks, including extracting the private key from a Domino SSL key ring file, which is typically named keyfile.kyr.
Currently, only the IKEYMAN version included with Global Security Kit 5 (GSKit 5) is compatible with Lotus Domino keyfiles. Later versions of the tool do not work as expected with Domino keyfiles; you are unable to open the file.
The IKEYMAN version provided with this technote is not supported by Lotus Technical Support. You can use it as is to export the private key from a Domino SSL key ring file. You should use it only for the purpose of exporting Domino keyfiles. To manage keys for other products and purposes, you should use the latest version of IKEYMAN.
Generally, support for the IBM Key Management (IKEYMAN) tool is included with support for WebSphere Application Server or IBM HTTP Server. However, note that this older version is not supported. For more information, refer to "Global Security Kit (GSKit) supported versions for releases of IBM HTTP Server" (#1173214).
Due to changes in the security library files, this tool does not work in Microsoft Windows 2003 or later. In addition, this tool will only work in a 32 bit system.
Where to find
You can download the specific GSK5 version that is necessary for exporting Domino keyfiles from the following FTP site:
DISCLAIMER: The information in this technote is provided on an "as is" basis. IBM Customer Support cannot be accountable for scripts written, modified, or acquired from sources, such as Redbooks, outside the official product release code. In addition, IBM Customer Support cannot write individual applications, however, the following information will provide a starting point from which to build custom applications. While every reasonable precaution has been taken in the preparation of this work, IBM assumes no responsibility for errors and omissions, or for the uses made of this material contained herein or decisions based on such use.
file size: 9.63 MB (10,102,094 bytes)
In general, the IBM Key Management (IKEYMAN) tool is available from the following sources
- As a part of IBM HTTP Server
(IBM HTTP Server can be downloaded free of charge, but no support is provided for the free download)
- As a part of WebSphere Application Server
- If you are not using IBM HTTP Server or Application Server, you can get this utility by installing the IBM Developer Kit for Java, available from http://www.ibm.com/developerworks/java/jdk/.
- As a utility on certain IBM software product CDs, such as with IBM Sametime.
Steps to export a key
The steps to export a key can be found in the IBM HTTP Server documentation: http://www.ibm.com/software/webservers/httpservers/library/
The specific topic to review is "Importing and exporting keys". For your convenience, we repeat the steps below.
1. Extract the contents of the zip file that you downloaded to a folder, named for example gsk5-iKeyman.
2. Launch a Windows command prompt. From the gsk5-iKeyman folder, run the following command to set up the registry: (Note: command is case sensitive)
3. After this setup is done, run the the following command to launch the tool:
4. Click "Key Database file" > "Open", then select your *.kyr file. You MUST know the password for the key ring file. Once you enter the password, you see the Keypair in the center pane.
5. Under Key database content, select "Personal Certificates" from the drop-down list. Click the "Export/Import" button.
Screen capture of Export/Import dialog:
6. Choose "Export Key" as the Action Type, select PKCS12 as the Key file type, and specify a file name and location. Click OK. You might be prompted for the password again. Then, the tool creates the PKCS12 file containing the private key.
7. After the utility is used, you can remove the added registry values by running the following command: