PRNGd, OpenSSL, self-signed certs: Not enough randomness.

[Randy Bias]

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gentlepeoples,


        I'm sure this question has been asked many times, but unfortunately,
I can't seem to find any very good information on the subject.  I've
looked at openssl sites/FAQs, apache-ssl, and others, but it's just
plain missing.  So, either I'm doing something very dumb or the
information is not readily available. . .

        The situation:

        - Running openssl-0.9.6b, apache-1.3.22+ssl, prngd-0.9.23.
        - Attempting to created self-signed cert for Apache-SSL
          server.
        - prngd is running:

root   569     1  0   Mar 12 ?        0:04 /usr/local/bin/prngd
/var/spool/prngd/pool

        - First two phases of key/cert generation work properly:

openssl req -config bs-ssleay.cnf -passout pass:ignore -new -x509 >
/tmp/new.csr
openssl rsa -passin pass:ignore -in privkey.pem -out cert.key

        - The last phase breaks:

openssl x509 -in /tmp/new.csr -out cert.self -req -signkey cert.key
- -days 365

          with:

unable to load 'random state'
This means that the random number generator has not been seeded
with much random data.
Consider setting the RANDFILE environment variable to point at a file
that
'random' data can be kept in (the file will be overwritten).
18594:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:662:Expecting: CERTIFICATE REQUEST


        I've tried various methodologies to specify the RANDFILE and it's
most definitely defined.  I've set it as a temp file, I've pointed it
at the PRNGd socket.  I've tried several other methods as well,
including "openssl rand" or "openssl -rand".  Nothing seems to affect
the error, however.

        Would someone mind terribly clueing me??  Any help appreciated.



Thanks,


- --Randy

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPJDj8iGJH83OL4I4EQJb5ACePyeljuvV9tqRYOggK7nz7aNjht0AoKc/
kNbe74qSdFeujub9xHoprs6M
=5bjI
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]