Re: AW: CSR signing

Wed, 27 Oct 2004 07:07:39 -0700 

The more randomness you put into the random number generator,
the better keys you will get.  I've been know to use something
as simple as

(df; date) >RANDFILE

the theory being that it is hard to predict the exact amount
of free file space on (random date in the past) and that the
output of date is always changing, but clearly one could do
better.  You might also investigate the possibility of
patches to your operating system to implement /dev/random
which uses things like Ethernet packet arrival times to
generate random numbers.  I know there is a patch for
Solaris, we are using it.  Linux has it built in.

Ronan wrote:



I'd suggest you use the CA.pl script instead. That should make things much
easier.


i have a csr (in pem format(by default)) and a key

I want to sign the csr with my domains root CA

I want then to change it to pkcs12 format

Finally i want to install it onto an Active Directory (win 2000 advanced) machine so i can ssl to the AD

using the CA.pl and my current key and csr

copy mycsr.csr to newreq.pem and run

# /home/local/ssl/misc/CA.pl -sign
Signed certificate is in newcert.pem

.... its not there is no newcert.pem

is this what im after?

/usr/local/ssl/bin/openssl x509 -req -in ./CSR.csr -CA ./cacert.pem -CAkey ./private/cakey.pem -CAserial ./serial -out ./signedcert.pem

well it does output signedcert.pem but it gives me this message

unable to load 'random state'
This means that the random number generator has not been seeded
with much random data.
Consider setting the RANDFILE environment variable to point at a file that
'random' data can be kept in (the file will be overwritten).
Signature ok

im in csh atm

Is this a problem...??

help!



Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]




--
Charles B (Ben) Cranston
mailto: [EMAIL PROTECTED]
http://www.wam.umd.edu/~zben

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to