This appears to be a case of your configuration file being truncated, or your environment otherwise slightly messed up.
The main error is, of course, the "PRNG not seeded" error -- as it says, you need to read the OpenSSL FAQ for information on how to solve it. (It goes into much tried-and-true detail. :)) You should also look to make sure that your configuration file has: unstructuredName_min=(minimum number of characters in unstructuredName) unstructuredName_max=(maximum number of characters in unstructuredName) The [req] section is the one that's used by default for new certificate requests, though it may refer to other sections for the extensions to put into the request. The one that defines unstructuredName is the one that needs to have those two entries in it. (Chances are HP released a security with an updated version of openssl, and some of the semantics changed.) For more in-depth information, you should read req(1ssl), to understand the purpose of the unstructuredName_min and unstructuredName_max errors. You should also read the FAQ, for information on the "PRNG not seeded" error. The RSA_setup_blinding error is triggered by the PRNG not seeded error, and that triggers the RSA_EAY_PRIVATE_ENCRYPT internal error. Then, because the private-key encryption fails, the ASN1_item_sign error fails (because the ASN.1 object isn't generated properly, to be able to be signed). The practical upshot of this is, the last 4 errors you're seeing will all be fixed by resolving the "PRNG not seeded" problem. I hope this helps! -Kyle H On Wed, May 7, 2008 at 1:57 PM, Nelson, Robert D. <[EMAIL PROTECTED]> wrote: > Hi: > > I'm running OpenSSL 0.9.8d on an HP-UX 11 box. In the past I've been > able to generate CSRs and keys via the command line with no trouble. > However, today I generated a key just fine, but when I tried to generate > the CSR it failed. I'm not aware of anything having been changed since > the last CSR I generated (July 2007), but I'm not the administrator of > this box so I wouldn't be privy to all changes. > > The command I run is... > > --- SNIP --- > ../../bin/openssl req -new -config /opt/prodhpws/webmin/acl/openssl.cnf > -key ../ssl.key/my-new-key.key -out my-new-csr.csr > --- SNIP --- > > It asks me the standard questions, and then when it's done I get this > error... > > --- SNIP --- > 28862:error:0E06D06C:configuration file routines:NCONF_get_string:no > value:conf_lib.c:328:group=req_attributes name=unstructuredName_min > > 28862:error:0E06D06C:configuration file routines:NCONF_get_string:no > value:conf_lib.c:328:group=req_attributes name=unstructuredName_max > > 28862:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not > seeded:md_rand.c:503:You need to read the OpenSSL FAQ, > http://www.openssl.org/support/faq.html > > 28862:error:04088003:rsa routines:RSA_setup_blinding:BN > lib:rsa_lib.c:407: > > 28862:error:04066044:rsa routines:RSA_EAY_PRIVATE_ENCRYPT:internal > error:rsa_eay.c:409: > > 28862:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP > lib:a_sign.c:276: > --- SNIP --- > > I'm not even sure where to start debugging this! > > TIA. > > ~ Robert > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
