Recover your Domino SSL Keystore password
Thomas Hampel
27 February 2013In a situation where an you need to verify the contents of a Domino SSL Key ring file (*.kyr) its very useful to know the password to that key ring.
Unfortunately thats not always the case, e.g. when inheriting a server for which no documentation exists, or in simple terms when you forgot the password.
In order to recover the password in clear text, just enable the debug parameter SSL_TRACE_KEYFILEREAD=1 in the Notes.ini
To avoid any impact to production, you might want to do this in an isolated environment like a fresh installed Domino server or a test server you already have.
So this is what you have to do:
- Install a new isolated Domino server (or use a test server of your choice)
- Copy the *.kyr + *.sth file from the production server to the new server
- Configure the HTTP task to make use of this key ring file, by updating the server document/internet ports, or by updating the internet site / security configuration.
- Enable the Notes.ini parameter by typing this command at the server's console
set config SSL_TRACE_KEYFILEREAD=1 - Restart the HTTP task
tell http restart - Watch the console to obtain the password in plain text:
ReadKeyfile> Recovering password from stash file
ReadKeyfile> Password is ABCDEFGH
ReadKeyfile> Reading keyfile /opt/IBM/notesdata/keyfile.kyr
ReadKeyfile> Looking for trusted roots
ReadKeyfile> Found trusted roots
ReadKeyfile> Exit status = 0
ReadKeyfile> Recovering password from stash file
ReadKeyfile> Password is ABCDEFGH
ReadKeyfile> Reading keyfile /opt/IBM/notesdata/keyfile.kyr
ReadKeyfile> Looking for cert chain
ReadKeyfile> Got cert chain
ReadKeyfile> Exit status = 0
ReadKeyfile> Recovering password from stash file
ReadKeyfile> Password is ABCDEFGH
ReadKeyfile> Reading keyfile /opt/IBM/notesdata/keyfile.kyr
ReadKeyfile> Looking for private key
ReadKeyfile> Decoding keys
ReadKeyfile> Keys decoded
ReadKeyfile> Exit status = 0
HTTP Server: Using Internet Site Configuration View
Now you can use the Domino Server Certificate Authority application to take a closer look into the *.kyr file.