note: The original title of this posting was "Go Daddy Certificates & KYRTOOL (SSL Error: No local certificate, key ring file) - SOLVED"  but wanted to use a better descriptor.

I'm hoping these instructions will assist someone else. I spent hours and hours attempting to make this work. Now, I can handle in < 5 minutes!

1. Step 1 and 2 (per IBM document) remain the same. Use OpenSSL to generate your 4096 bit RSA key pair using the command "openssl genrsa -out servername.key 4096" (no quotes) then your CSR to procure your server certificate from Go Daddy. The command for generating the CSR is "openssl req -new -sha256 -key servername.key -out servername.csr" (again, no quotes). I recommend placing all files (*.key, *.csr, *.kyr, *.crt...) in a single folder to work. Will make it easier in step #3. Once the CSR is generated, open in notepad and CTRL-A to copy all then paste into your 3rd-party CA's (e.g. Go Daddy) re-key field or new key field if never issued.

***If using OpenSSL for Windows, don't attempt the cat command (just open document in notepad) in IBM's documentation. The commands are run from the "bin" sub-directory. By default, the program is usually installed to C:\OpenSSL-Win32 so the executables would run from C:\OpenSSL-Win32\bin\.

2. Once the certificate is issued, download your server's certificate then access the Go Daddy Certificate Repository to download your root (e.g. gdroot-g2.crt) and your intermediate (e.g. gdig2.crt) certificates.
3. Create a new text file (e.g. servername.txt) that will be used to concatenate files into a master one to import. The contents from the *.key file (contains RSA keys) should be pasted first into the new text file followed by the server's certificate. The intermediate should be next followed by the root certificate. If the order isn't correct, you will encounter mismatches (e.g. IssuerName/SubjectName...).
4. Download KYRTOOL (see IBM documentation) and generate keyring file using "kyrtool =notes.ini create -k C:\KYR\servername.kyr -p password".
5. Time to import all keys and certificates from single text file (in step #3) into your keyring file. The command "kyrtool =notes.ini import all -k c:\KYR\servername.kyr -i c:\KYR\servername.txt" handles it all.
6. If successful, you should see output similar to the following when the "kyrtool =notes.ini verify C:\KYR\servername.txt" is run.

Successfully read 4096 bit RSA private key
INFO: Successfully read 3 certificates
INFO: Private key matches leaf certificate
INFO: IssuerName of cert 0 matches the SubjectName of cert 1
INFO: IssuerName of cert 1 matches the SubjectName of cert 2
INFO: Final certificate in chain is self-signed

7. If all looks 100% (as in step #6) then copy your servername.kyr and servername.sth files to your server's root data directory. Restart HTTP server.

***This same process, possibly minus intermediate certificate (# depends on CA) should also work for other CAs. Many CA still have root and intermediate bundles (or individual certificates in their repositories) that are only SHA-1 signed. I intentionally downloaded the G2 versions of the root and intermediate certificates (e.g. from Go Daddy) that has SHA-2 signatures. If not, your chain's essentially not 100% SHA-2. Even with these SHA-2 inclusive certificates, it's possible to still see SHA-1 for the Thumbprint Algorithm but the certificate is signed with SHA-2 and will pass tests (e.g. Google Chrome checks for SHA-1).

***original posting... before I solved***

Is anyone else using Go Daddy SSL certificates? I'm not having any luck and Go Daddy has 0 instructions (nor support) for Domino servers, just the competition. I used SSL to generate the RSA key pair then the CSR. Unfortunately, when you select download certificates the choices are limited to IIS, Apache,... and Other. Before this new method, I was always able to successfully insert the certificates (root/server) using the old method (cert. admin application) but am now running into issues with the new SHA-2 method and KYRTOOL. I don't experience any errors when using the import commands below. I have tried with and without the intermediate certificate (gdig2.crt), as a bundle and manually downloading from the Go Daddy repository. The link below mentions a root and intermediate but the information is referring to the old method (issued for Domino 5/6) and is generic re: Starfield and Go Daddy. Have I missed any steps? Is a root and intermediate needed or just root? 

When I restart the HTTP task, I get "HTTP Server: SSL Error: No local certificate, key ring file [my.kyr], IP address [xxx.xxx.xxx.xxx]". This certainly sounds no good but I have inserted certificates using the commands below (per online instructions). I'm just hoping it's something simple.

The import commands return what appears to be a success message "Using keyring path 'c:\KYR\my.kyr' SECIssUpdateKeyringLeafCert succeeded".

kyrtool.exe import roots -i c:\KYR\gdroot-g2.crt -k c:\KYR\my.kyr
kyrtool.exe import roots -i c:\KYR\gdig2.crt -k c:\KYR\my.kyr
kyrtool.exe import certs -i c:\KYR\myserver.crt -k c:\KYR\my.kyr

When running the show certs command below, I get "Certificate, private key or CRL was not found". The show keys command returns "Error 0x0E59 reading keypair from keyfile c:\KYR\my.kyr" and "One possible cause of this failure is that the API used for this command only returns keys if they have a certificate."

kyrtool =notes.ini show keys -k c:\KYR\my.kyr
kyrtool =notes.ini show certs -k c:\KYR\my.kyr

Am I supposed to import the KSA key pair, too? The "Generating a keyring file with a third party CA SHA-2 cert using OpenSSL and kyrtool" posting is a bit confusing. The article talks about importing the RSA keypair and self-signed certificate into the new keyring file in step #5. I'm now wondering is the step "kyrtool =c:\lotus\notes\notes.ini verify c:\lotus\notes\data\ssl\server.txt" required before importing root/server certificates? Would server.text be server.key (OpenSSL generated RSA key pair file) since I'm not using a PEM file? I'll test and update.

Thanks for any assistance. Have a great day. There has always been a serious lack of information re: Go Daddy certificates and Domino. Trial and error isn't my favorite approach. Go Daddy is a major CA so I'm hoping this thread will assist others.