On 10/2/2012 2:04 PM, Stefan H. Holek wrote:
Hi All,
Here is something I am not able to figure out, even after checking the FAQ and
the rand(3) man page:
When using the openssl command line utility, is a private RANDFILE per CA
required for security reasons, or is it just fine to use a single RANDFILE for
everything (i.e. the default ~/.rnd)? Older configuration files seem to
indicate the former, but is this still true?
IOW, I am looking for an answer to whether not having its own RANDFILE degrades
the security of a CA.
Thank you,
Stefan
I would say it degrades it, as it makes the randomness used by each CA
less random.
I would also suggest getting a real hardware RNG source and directly or
indirectly feeding it into OpenSSL. These are commercially available
and typically cheap, and they are still not included with most computer
hardware, despite many failed initiatives in the past.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org