About two years ago, our Network (as well as Domino) administrator left the company after 10 years. The other day our SSL certificate for one of our websites expired, and we wanted to use a newer wildcard certificate instead of a server specific certificate.
The problem was that we did not have the password for the keyring file (keyfile.kyr) used on the server, either the admin did not document it (which does not sound like him) or the document with the password was lost/we could not find it.
So what to do? We thought about creating a new keyfile and start over, but these days the certificate authorities (like Verisign, Thawte and Go Daddy) use 4096 bit SHA2 certificates as root certificate, which IBM Domino does not support (and don’t plan to support). The recommended solution is to use the IBM HTTP server as a proxy in front of the Domino HTTP server, since that one supports SSH2. So we could not go this way right away (we probably will do it eventually, though), as we just need the SSL certificate up and running on the server right away.
Our administrator came up with a way to get the password for the keyfile, assuming that you have the corresponding .sth file (which we fortunately had). The instructions are below, in case anyone need them in the future.
To recover a Lotus Domino keyring password you need a Lotus Domino server where you have admin access to and the *.sth file which fits the *.kyr file. If you have both you can perform the following steps:
Bring down the HTTP task via:
tell http quit
Open the domino console and enter:
set config DEBUG_SSL_ALL=3 set config SSL_TRACE_KEYFILEREAD=1
If you now bring back your http task via:
you should see a line similar to:
ReadKeyfile> Recovering password from stash file ReadKeyfile> Password is xxxxxxxxxxx
You now have the password. You can now simply restart the server to remove the temporary notes.ini settings.