On Thu, Mar 14, 2002 at 09:53:22AM -0800, Randy Bias wrote:
> The situation:
>
> - Running openssl-0.9.6b, apache-1.3.22+ssl, prngd-0.9.23.
> - Attempting to created self-signed cert for Apache-SSL
> server.
> - prngd is running:
>
> root 569 1 0 Mar 12 ? 0:04 /usr/local/bin/prngd
> /var/spool/prngd/pool
>
> - First two phases of key/cert generation work properly:
>
> openssl req -config bs-ssleay.cnf -passout pass:ignore -new -x509 >
> /tmp/new.csr
> openssl rsa -passin pass:ignore -in privkey.pem -out cert.key
>
> - The last phase breaks:
>
> openssl x509 -in /tmp/new.csr -out cert.self -req -signkey cert.key
> - -days 365
>
> with:
>
> unable to load 'random state'
> This means that the random number generator has not been seeded
> with much random data.
> Consider setting the RANDFILE environment variable to point at a file
> that
> 'random' data can be kept in (the file will be overwritten).
> 18594:error:0906D06C:PEM routines:PEM_read_bio:no start
> line:pem_lib.c:662:Expecting: CERTIFICATE REQUEST
>
>
> I've tried various methodologies to specify the RANDFILE and it's
> most definitely defined. I've set it as a temp file, I've pointed it
> at the PRNGd socket. I've tried several other methods as well,
> including "openssl rand" or "openssl -rand". Nothing seems to affect
> the error, however.
You have been fooled and to be fair, it also took me a moment to see
what is really going on...
The error you are seeing has nothing to do with a PRNG problem.
I was first also fooled by your analysis and I have seen, that the "x509"
command does not support the "-rand" option. Then I asked myself, why
would random numbers be need in x509 anyhow?
Now to answer your question: your real problem is:
> 18594:error:0906D06C:PEM routines:PEM_read_bio:no start
> line:pem_lib.c:662:Expecting: CERTIFICATE REQUEST
openssl x509 complains that it cannot recognize the input as a certificate
request. (-req instructs it to expect a certificate request.)
However you already generated a x509 certificate instead of a certificate
request by specifying the -x509 option to the "req" command.
/tmp/new.csr should already contain the self signed certificate.
Use "openssl x509 -in /tmp/new.csr -text" to verify my theory.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
