IBM Support

Merge Wildcard SSL PFX file for Domino SSL using OpenSSL and kyrtool

Technote (FAQ)


How can we bypass creating a certificate signing request(CSR) for the certificate authority(CA), and create a Domino SSL keyring that uses an existing wildcard certificate?


A private key for an SSL certificate is unique to that particular key pair.

When generating the certificate signing request for a Certificate Authority(CA), a public key is part of the request, which corresponds to the private key in use.

If a different key pair is used, It will have a different private key, so the public key contained in the CA signed certificate will not match what is expected.

You must have the private key available to be able to import the certificate.


You need to get a PFX file of the wildcard certificate that you will use for Domino. This contains the private key of the certificate. You must also know the password for that PFX file. The pfx is usually a windows format.

Step 1 From the files below, You will copy the PFX file(with password) to the Bin folder of my OpenSSL. Rename the PFX file to: "wildcard.pfx"

In CMD, go to the path where you installed OpenSSL, under bin folder do this commands:

"openssl pkcs12 -in wildcard.pfx -nocerts -out key.pem -nodes" -This command will generate the PEM file that will be used to create the server.key

"openssl pkcs12 -in wildcard.pfx -nokeys -out cert.pem" -This command will generate the PEM files used for the merging of certificates

"openssl rsa -in key.pem -out server.key" -This will generate the server.key to be used for concatenation

"type server.key cert.pem>server.txt" -This will create the server.txt that will be imported in the keyring


Step 2. Create a new keyring file using the kyrtool.
Go to the path of your Notes/Domino Program directory where you placed the kyrtool and type in the command as shown below.
In this screenshot, the kyrtool is placed inside the Domino program directory.

Step 5.

Step 5a Place the "server.txt"(from the Bin folder of your OpenSSL) where the keyring is stored. From Step 2, the keyring is stored inside the "C:\ drive"

Step 5b. Verify using the command as shown below

Step 5c. Import the keypair and the certificate using the command below

Step 6. Examine the resulting keyring file

Step 7. Copy over your new keyring and sth file from the "C:\ drive" to Domino Data directory
Back up your old .kyr and .sth files, copy over your new keyring and stash files, update the keyring file names in the server document/internet site and restart the task http.

Related information

How to export the private key from a Domino keyfile by

Document information

More support for: IBM Domino
Web Server

Software version: 9.0, 9.0.1

Operating system(s): Windows

Software edition: All Editions, Social Edition

Reference #: 1701425

Modified date: 23 March 2017