Keymgmt Create

Creates a named encryption key in the server ID file; creates a credential store assigned a named encryption key that is used to encrypt documents; creates a shared key in a credential store to use to encrypt DAOS objects on multiple servers; or creates a Domain Keys Identified Mail (DKIM) key

Syntax: Create a named encryption key in the server ID file

keymgmt create nek <nekname> [overwrite]
For example, to create a named encryption key called credstorekey in the server ID file, enter: 
keymgmt create nek credstorekey
When creating a named encryption key, if a key with that name already exists on the server ID file and you want to replace it with a new key, use the overwrite argument, for example: 
keymgmt create nek credstorekey overwrite
Note: Use the overwrite argument with extreme caution. If you overwrite a key, any data encrypted with the key can never be decrypted.

Syntax: Create a credential store assigned a named encryption key

 keymgmt create credstore <nekname>
  • The file name for a credential store is credstore.nsf. It is always generated automatically with this command.
  • There can be only one credential store on a non-clustered server or one per server cluster (replicated) if your organization uses clusters.
For example, to create a credential store on the server whose documents will be encrypted with the named encryption key credstorekey, enter: 
keymgmt create credstore credstorekey

Syntax: Created a shared encryption key

To create a shared key in credstore.nsf to use to encrypt DAOS objects on the servers that use the credential store, enter one of the following commands from the console of any Domino server that uses the credential store:

To use AES-128 encryption:
keymgmt create sharedkey <keyname>
To use AES-256 encryption:
keymgmt create sharedkey <keyname> 256
For example, to create a shared key called MyCluster_AES_128 that uses AES 128-bit encryption, enter: 
keymgmt create sharedkey MyCluster_AES_128

Syntax: Create a DKIM key

To create one or more keypairs in a credential store to use for DKIM signing, run the following command from the console of a Domino server that has the credential store:
keymgmt create DKIM <domain> <selector> RSA [<keySize>]
where:
  • <domain> is the name of the Domino Internet domain, for example, renovations.com or sales.renovations.com.
  • <selector> is the name of your choice for the DKIM selector. The selector is specified in the DKIM-Signature header and indicates where the public key portion of the DKIM keypair exists in DNS.
  • <keySize> is the specified size for the DKIM key. Size can be 1024, 2048 or 4096.
For example: 
keymgmt create DKIM renovations.com 12345 RSA 2048
A console message similar to the following one indicates the command is successful:
> keymgmt create DKIM renovations.com 12345 RSA 2048
[4F24:0007-2F28] Created DKIM key 12345._domainkey.renovations.com
Note: A DKIM key is enabled by specifying the domain and selector in a server notes.ini setting. 255 characters are the maximum allowed for notes.ini settings which puts a practical limit on domain and selector sizes.

For information on DKIM signing, see Configuring DKIM signing for messages routed to external Internet domains.