fighting for truth, justice, and a kick-butt lotus notes experience.

Creating a Self-Signed Server certificate based on your own Root CA

 August 17 2015 10:22:15 AM
I know that many of you are still using self signed server certificates, which had been created by using the Domino Server Certificate Admin Template.

Because the resulting certs are self-signed by it's own, there is no real Root CA, which you can deploy to a client in advanced.
Other problems: The Bit-length is a joke and the certificates are only based on SHA1, which is deprecated.

So if you need a SSL certificate for your server, I recommend to use a SHA-2 4096 Bit certificate issued by a real trusted Root CA.

You will have to options:

Option A - Let your server certificate get signed by a public root authority like Thawte or Verisign
Recommended, if your site/server is public available AND you are not able to manage the clients.

Option B - Create your own Root CA and sign your server certificate with your Root CA.
Recommended for internal use, if you are able to manage your clients or devices. So that you can deploy root certificates to the trust chain of the clients.

Lets take a look at Option B:

In the following I will explain the steps to create your own Root CA and how to create a new SSL Server key for Domino based on SHA-2.

1. Step: Preparations:

To use SHA-2 certificates together with Domino, you must use a version starting with 9.0.1 FP3. (If you are still using Domino 8.5.3, you must upgrade to the current version 9.0.1)

We will need OpenSSL to create the keys and the new IBM KYRTOOL to create a Domino Keyfile.

1.1. Download and install OpenSSL, if not already installed

Download the latest “lite” version of OpenSSL from here and install it on your Windows machine.  
I installed mine to C:\openssl

1.2. For Windows:

Set the environment variable for OpenSSL using a command prompt

Set OpenSSL_Conf=C:\openssl\bin\openssl.cfg

1.3. Download the IBM KYRTOOL from Fix Central and install it.

The download can be found here.
Extract and copy the executable to your Notes program directory. (Your Notes/Domino Installation must be 9.0.1 with Fixpack 3)

1.4 Create a folder in your file system to store your certificates

I will use C:\myCerts

2. Step: Create your private Root CA

2.1.  Create CA Private Key

Open a Command prompt and switch to the OpenSSL directory (c:\openssl)

openssl genrsa -des3 -out C:\myCerts\myCA.key 4096

2.2. Create CA Certificate (10 years validity in this case using SHA-2)

openssl req -new -sha256 -x509 -days 3650 -key C:\myCerts\myCA.key -out C:\myCerts\myCA.crt

That's it! Make a backup copy of your created myCA.key and myCA.crt. Store them in a secure place.
This is your new Root CA, which you can use for all internal server SSL keys from now on.

3. Step: Create your Server certificate

3.1. Create Private Key for your Domino Server

openssl genrsa -out C:\myCerts\myServer.key 4096

3.2. Create Certificate Signing Request for your host

openssl req -new -sha256 -key C:\myCerts\myServer.key -out C:\myCerts\myServer.csr

4. Step:  Sign your Certificate Signing Request  using your Root CA

4.1. Sign host Certificate with CA Certificate (5 years validity)

openssl x509 -req -sha256 -days 1825 -in C:\myCerts\myServer.csr -CA C:\myCerts\myCA.crt -CAkey C:\myCerts\myCA.key -set_serial 01 -out C:\myCerts\myServer.crt

5. Step: Create an empty Domino KYR File

Open a Command prompt and go to your Notes program directory and run the kyrtool

kyrtool  create -k C:\myCerts\myServer.kyr -p yourPassword

Once run you should have a myServer.kyr and myServer.sth stash file.

6. Step: Merge your key and certificate chain into the a single TXT file

We need a single text file that contains:

- the myServer.key - we generated in step 3.1,
- the myServer.crt - SSL certificate we created using our CA in step 4.1
- the myCA.crt - root certificate of our CA generated in step 2.2.

Open a Command prompt and go to C:\myCerts directory. The type command will create a single file:

type myServer.key myServer.crt myCA.crt >myServer.txt

Verify the myServer.txt, that it contains all needed Intermediate and Root certificates. In our case we only have one Root certificate.
Switch back to the Notes program directory and run the kyrtool
kyrtool verify

7. Step: Merge TXT file with your certificate chain into the Domino KYR file

kyrtool import all -k c:\myCerts\myServer.kyr -i c:\myCerts\myServer.txt

8. Step: Validate your KYR-File

kyrtool show keys -k c:\myCerts\myServer.kyr  

kyrtool show certs -k c:\myCerts\myServer.kyr

9. Step: Copy the myServer.kyr AND myServer.sth to your Domino Data directory

10. Step: Deploy the public key of your Root Certificate myCA.crt generated in 2.2.

The public key of your Root CA (myCA.crt) must be added to the known Trusted Root Certificates of the device.
Use your exitsting Windows PC management or your Mobile Device Management system to deploy the myCA.crt file.  

11. Step: Check that the correct KYR file is configured in your Domino Server or Website document

Image:Creating a Self-Signed Server certificate based on your own Root CA

12. Step: Restart your Domino HTTP Task

You should know, how to do that :-)


1Tom  08/20/2015 7:24:33 PM  Creating a Self-Signed Server certificate based on your own Root CA


I've generated the certificate according to your instructions but in Chrome I get ERR_CERT_INVALID. Is there any way I can bypass this without pushing myCA.crt to workstation?

Cheers and good work!

2Tom  08/20/2015 7:36:24 PM  Creating a Self-Signed Server certificate based on your own Root CA

Also I got this error when doing kyrtool show certs:

[1834:0002-1BEC] Thread=[1834:0002-1BEC]

[1834:0002-1BEC] Stack base=0x00A7DFA0, Stack size = 9480 bytes

[1834:0002-1BEC] PANIC: LookupHandle: handle out of range

Is this could be the cause?

3Detlev Poettgen  08/21/2015 7:25:24 AM  Creating a Self-Signed Server certificate based on your own Root CA

If you are using your own CA you should deploy your Root certificate (myCA.crt) to the clients in advanced.

So it will only be an option, if you are able to destribute it by an MDM or desktop management system.

Otherwise using an official trust center like Thawte, Verisign,... would be the better way.

4Detlev Poettgen  08/21/2015 7:30:09 AM  Creating a Self-Signed Server certificate based on your own Root CA

Which Notes client version are you using? My be the latest Fixpack is missing, because KYRTOOL needs a never version of the Notes/Domino security framework, which comes with the latest Notes/Domino 9.0.1 fixpack.

5Tom  08/21/2015 2:03:12 PM  Creating a Self-Signed Server certificate based on your own Root CA

Ok, thank you. I thought it is possible to use self-signed cert with Chrome as it was available with SHA-1. I didn't need to push myCA.crt to clients, they could accept cert by themselves, but for now Chrome is not giving this option, just blocks the website.

Kyrtool - exactly as you written, fix pack did the work.


  • Hinweis zum Datenschutz und Datennutzung:
    Bitte lesen Sie unseren Hinweis zum Datenschutz bevor Sie hier einen Kommentar erstellen.
    Zur Erstellung eines Kommentar werden folgende Daten benötigt:
    - Name
    - Mailadresse
    Der Name kann auch ein Nickname/Pseudonym sein und wird hier auf diesem Blog zu Ihrem Kommentar angezeigt. Die Email-Adresse dient im Fall einer inhaltlichen Unklarheit Ihres Kommentars für persönliche Rückfragen durch mich, Detlev Pöttgen.
    Sowohl Ihr Name als auch Ihre Mailadresse werden nicht für andere Zwecke (Stichwort: Werbung) verwendet und auch nicht an Dritte übermittelt.
    Ihr Kommentar inkl. Ihrer übermittelten Kontaktdaten kann jederzeit auf Ihren Wunsch hin wieder gelöscht werden. Senden Sie in diesem Fall bitte eine Mail an blog(a)poettgen(punkt)eu

  • Note on data protection and data usage:
    Please read our Notes on Data Protection before posting a comment here.
    The following data is required to create a comment:
    - Name
    - Mail address
    The name can also be a nickname/pseudonym and will be displayed here on this blog with your comment. The email address will be used for personal questions by me, Detlev Pöttgen, in the event that the content of your comment is unclear.
    Neither your name nor your e-mail address will be used for any other purposes (like advertising) and will not be passed on to third parties.
    Your comment including your transmitted contact data can be deleted at any time on your request. In this case please send an email to blog(a)poettgen(dot)eu