Thanks Stephan.. Was using key generated outside the FIPS mode . Is there any way , i can use digest as sha1 when generating the key outside the FIPS mode so that same key can be used in FIPS mode and non FIPS mode ?
Thanks In advance Rajan On Wed, Jul 8, 2009 at 8:45 PM, Dr. Stephen Henson <st...@openssl.org>wrote: > On Wed, Jul 08, 2009, rajanchittil wrote: > > > > > I am also having the same problem .Is any one got the solution for this > ... > > > > > > My configure file has this entry > > > > > > [ req ] > > default_bits = 2048 > > default_keyfile = $HOME/exampleca/private/cakey.pem > > default_md = sha1 > > prompt = no > > distinguished_name = root_ca_distinguished_name > > x509_extensions = root_ca_extensions > > > > [ root_ca_distinguished_name ] > > commonName = Example CA > > stateOrProvinceName = Virginia > > countryName = US > > emailAddress = c...@exampleca.org > > organizationName = Root Certification Authority > > > > > > openssl req -newkey rsa:2048 -keyout $HOME/server_req/server_priv_key.pem > > -keyform PEM -out $HOME/server_req/server_req.pem -outform PEM > > > > But when i am trying to display the private key ,i am getting this error > > > > # openssl rsa -in $HOME/server_req/server_priv_key.pem -pubout -text > > Enter pass phrase for //server_req/server_priv_key.pem: > > unable to load Private Key > > 221296:error:06080090:digital envelope > routines:EVP_DigestInit_ex:disabled > > for fips:digest.c:292: > > 221296:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad > > decrypt:evp_enc.c:337: > > 221296:error:0906A065:PEM routines:PEM_do_header:bad > decrypt:pem_lib.c:428: > > > > My digest is sha1 .. Can you please help me > > > > The digest referred to is the default key derivation algorithm used to > encrypt > private keys which uses MD5. > > If the first command was run outside FIPS mode and the second inside FIPS > mode > that is the error. Keys generated outside FIPS mode should not be used > inside > FIPS mode. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
