Generating a keyring file with Kyrtool and strong keys (ECDSA)

Thursday, July 15, 2021 at 9:21 AM UTC

Today I run into a problem as I try to create a new keyringfile for our HCL Domino Server. Before creating the keyringfile I try to verify the certificate chain on my Workstation.
with Kyrtool 1.1 after I generate new keys for our website.
We wanted to switch from the aging RSA keys to the current ECDSA keys.
The purpose of the action was to achieve a rating of A or A+ through "SSL Labs".

SSL Labs groupsphere Rating

The certficate chain include a strong privat key (256 bit ECDSA).

Until today I used Kyrtool Version 1.1 which I download years ago from IBM and I thought that this was the latest version of Kyrtool.
Offical HCL Links offer Kyrtool 1.0.

The verify of my certificate chain generates a failure ...

... and tells my that no privat key could be found.

The HCL Domino Documentation "Generating a keyring file with a self-signed or third-party certificate" refers to the Knowledge Base Artikel "How to set up SSL using a third-party Certificate Authority (CA) - KB0033348" which include a download link to Kyrtool 1.0 "Installing and Running the Domino keyring tool".
Although the article is in the Domino 11.0.1 help, it does not discuss current key strengths and unfortunately does not discuss how to handle current key strengths either.

I looked for a newer version and I found kyrtool 1.2 which comes with a HCL Domino 10 / 11 / 12 installation.
Since HCL Domino is 64bit I can't use this tool on my HCL Notes 12 32 bit Client, but on the server the kyrtool could verify the chain.

I open a case at HCL to ask for a 32 bit version of kyrtool 1.2 but I only get a link for Kyrtool 1.0 from HCL.