Exporting .kyr certificate for Apache[转]

We access our iNotes webmail through a reverse proxy. This reverse proxy is an Apache webserver. To add to this security, all http traffic is redirected to https for obvious reasons. This means that there has to be an SSL certificate on the reverse proxy for that website. But Lotus Domino stores its certificates in keyring files (.kyr extension), which cannot be read by Apache. I had to export the keyring file to a certificate file (.cert) and key file (.key) for Apache.


After searching around a bit, I quickly realised that this wouldn’t be as easy as I initially hoped. There is no built-in feature in Domino to export keyring files to any other format. Even opening the file turned out to be quite a challenge.
After some more searching, I came across a handy little tool from IBM called “iKeyman” (link). This tool is part of IBM HTTP Server and WebSphere. With it, you can open and export keyring files created by Domino. If you don’t have IBM HTTP Server or WebSphere, you can download this utility here.


If you start the tool, you can open the keyring file (you will have to know the password), and then select “Export/import” on the right side.


After that, I stumbled upon the next problem: you can only export to PKCS12 or CMS. These aren’t usable for Apache either, but it’s a start. I exported the file to the PKCS12 format, wich gave me a .p12-file. This file, I could then export to the format I needed with OpenSSL (link). OpenSSL is available for Windows and Linux. I used the following commands on a Linux machine:


openssl pkcs12 -in host.domain.p12 -clcerts -nokeys -out host.domain.cert
openssl pkcs12 -in host.domain.p12 -nocerts -nodes -out host.domain.key

This finally gave me the right files I could load in the Apache configuration.

FROM:http://labs.groupwave.be/index.php/2009/08/31/exporting-kyr-certificate-for-apache/