On Wed, Sep 20, 2006 at 03:33:18PM -0500, Jeanna Geier wrote: > Hopefully someone here has some OpenSSL expertise and can help me with a > problem I'm running into... [...] > So, I changed to the openssl-0.9.8c directory to build my keyfile and > certificate and am having no luck and could really use someone's > expertise!! When I enter the command line option to generate the keyfile, > it says it's generating the file, but it just hangs there.... I've left it > running, but it doesn't complete, it only outputs the two lines with > '.......++++++' and stops: > > $ openssl genrsa -des3 -out server.key 2048 > Loading 'screen' into random state - done > Generating RSA private key, 2048 bit long modulus > ........................................+++ > ......+++ That command should work; here's what it does on my FreeBSD system: % openssl genrsa -des3 -out server.key 2048 Generating RSA private key, 2048 bit long modulus ...............+++ ............................+++ e is 65537 (0x10001) Enter pass phrase for server.key: Verifying - Enter pass phrase for server.key: Your prime number generation appears to have completed but the command hangs before displaying the encryption exponent. How long did you wait? The OpenSSL source code has only a few lines between those two actions, one of which is: app_RAND_write_file(NULL, bio_err); I wonder if that's where the command is hanging. That function generates cryptographically strong pseudo-random bytes and saves them to a file for future use, so it's possible that you didn't wait long enough. If your system doesn't have enough entropy then it might be waiting to gather more, in which case wiggling the mouse or banging on the keyboard might help (assuming your system gathers entropy from "random" activity like interrupts). If not then you could try commenting out that line (line 264) in apps/genrsa.c, then rebuild and reinstall OpenSSL. That's not a good solution but if key generation completes after making that change then at least you'd have pinpointed the problem. Incidentally, if you encrypt the private key (as you're doing with the -des3 option) then the postmaster will prompt for the password every time it starts. That'll prevent the postmaster from starting unattended. -- Michael Fuhr
