Search code examples
lotus-noteslotus-dominopem

Importing certificate to a keyring

Using a new utility kyrtool, I've been trying to create keyring and import the particular domain certificate into it.

Certificate has been issued by RapidSSL. It's an SHA2 certificate issued for "*.domain.tld".

First of all I've created a new keyring file:

kyrtool create -k C:\path\keyring.kyr -p password

Then I've converted my pfx certificate to pem in opnessl:

openssl pkcs12 -in certificate.pfx -out certificate.pem

Then I've tried to import my PEM into the new keyring:

kyrtool import all -i certificate.pem -k C:\path\keyring.kyr -v

And an error occured:

Using keyring path 'C:\path\keyring.kyr'
No private key found in the input file
ReadPEMPrivateKey returned error 0x0495
Invalid arguments

My PEM certificate contains both -----BEGIN RSA PRIVATE KEY----- and -----BEGIN CERTIFICATE----- blocks.

Any idea? Thanks, JiKra

Solution

  • Ok, problem was with the wrong order in certificate chain in PEM file. There was a global CA (GeoTrust CA) certificate before the issuer certificate (RapidSSL 256 - G3).

    We've resolved the problem by dividing the whole certificate into four separate PEM files and importing them in the proper order.

    kyrtool import keys
kyrtool import certs
kyrtool import roots ...global
kyrtool import roots ...intemediate

    JiKra

    EDIT 1:

    As we realized, the main problem could be with the intermediate certificate of RapidSSL 256 G3 where there were no paddings at the end. This certificate ends exactly with 7bit content:

    -----BEGIN CERTIFICATE-----
MIIEJTCCAw2gAwIBAgIDAjp3MA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYT
AlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVz
dCBHbG9iYWwgQ0EwHhcNMTQwODI5MjEzOTMyWhcNMjIwNTIwMjEzOTMyWjBH
MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEgMB4GA1UE
AxMXUmFwaWRTU0wgU0hBMjU2IENBIC0gRzMwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCvVJvZWF0eLFbG1eh/9H0WA//Qi1rkjqfdVC7UBMBd
mJyNkA+8EGVf2prWRHzAn7XpSowLBkMEu/SW4ib2YQGRZjEiwzQ0Xz8/kS9E
X9zHFLYDn4ZLDqP/oIACg8PTH2lS1p1kD8mD5xvEcKyU58Okaiy9uJ5p2L4K
jxZjWmhxgHsw3hUEv8zTvz5IBVV6s9cQDAP8m/0Ip4yM26eO8R5j3LMBL3+v
V8M8SKeDaCGnL+enP/C1DPz1hNFTvA5yT2AMQriYrRmIV9cE7Ie/fodOoyH5
U/02mEiN1vi7SPIpyGTRzFRIU4uvt2UevykzKdkpYEj4/5G8V1jlNS67abZZ
AgMBAAGjggEdMIIBGTAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1luMrM
TjAdBgNVHQ4EFgQUw5zz/NNGCDS7zkZ/oHxb8+IIy1kwEgYDVR0TAQH/BAgw
BgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwNQYDVR0fBC4wLDAqoCigJoYkaHR0
cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMC4GCCsGAQUFBwEB
BCIwIDAeBggrBgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMEwGA1UdIARF
MEMwQQYKYIZIAYb4RQEHNjAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdl
b3RydXN0LmNvbS9yZXNvdXJjZXMvY3BzMA0GCSqGSIb3DQEBCwUAA4IBAQCj
WB7GQzKsrC+TeLfqrlRARy1+eI1Q9vhmrNZPc9ZE768LzFvB9E+aj0l+YK/C
J8cW8fuTgZCpfO9vfm5FlBaEvexJ8cQO9K8EWYOHDyw7l8NaEpt7BDV7o5Uz
CHuTcSJCs6nZb0+BkvwHtnm8hEqddwnxxYny8LScVKoSew26T++TGezvfU5h
o452nFnPjJSxhJf3GrkHuLLGTxN5279PURt/aQ1RKsHWFf83UTRlUfQevjhq
7A6rvz17OQV79PP7GqHQyH5OZI3NjGFVkP46yl0lD/gdo0p0Vk8aVUBwdSWm
My66S6VdU5oNMOGNX2Esr8zvsJmhgP8L8mJMcCaY
-----END CERTIFICATE-----