Is anyone else having this problem? After updating a 6.3 system with the latest 6.4 updates,
keyutil (which is run by genkey) is getting a segmentation violation when generating a
self-signed certificate. I have used VMware snapshots to repeatedly test this on a 6.3 system
(last updated in January) and a 6.4 system with the most current updates.
Below is the output from the certificate generation attempts; the first is the successful attempt
on Centos 6.3, and the second is the unsuccessful attempt after updating to Centos 6.4:
-------------------------- Successful Attempt on Centos 6.3 -----------------------------------------------------
[root@vm0 tls]# genkey --days 375 test.server.com
/usr/bin/keyutil -c makecert -g 1024 -s "CN=test.server.com, O=Network Innovations, L=Calgary, ST=Alberta, C=CA" -v 12 -a -z /etc/pki/tls/.rand.2721 -o /etc/pki/tls/certs/test.server.com.crt -k /etc/pki/tls/private/test.server.com.key
cmdstr: makecert
cmd_CreateNewCert
command: makecert
keysize = 1024 bits
subject = CN=test.server.com, O=Network Innovations, L=Calgary, ST=Alberta, C=CA
valid for 12 months
random seed from /etc/pki/tls/.rand.2721
output will be written to /etc/pki/tls/certs/test.server.com.crt
output key written to /etc/pki/tls/private/test.server.com.key
Generating key. This may take a few moments...
Made a key
Opened tmprequest for writing
(null) Copying the cert pointer
Created a certificate
Wrote 882 bytes of encoded data to /etc/pki/tls/private/test.server.com.key
Wrote the key to:
/etc/pki/tls/private/test.server.com.key
-------------------------- Unsuccessful Attempt on Centos 6.4 -----------------------------------------------------
[root@vm0 tls]# genkey --days 375 test.server.com
/usr/bin/keyutil -c makecert -g 1024 -s "CN=test.server.com, O=Network Innovations, L=Calgary, ST=Alberta, C=CA" -v 12 -a -z /etc/pki/tls/.rand.1296 -o /etc/pki/tls/certs/test.server.com.crt -k /etc/pki/tls/private/test.server.com.key
cmdstr: makecert
cmd_CreateNewCert
command: makecert
keysize = 1024 bits
subject = CN=test.server.com, O=Network Innovations, L=Calgary, ST=Alberta, C=CA
valid for 12 months
random seed from /etc/pki/tls/.rand.1296
output will be written to /etc/pki/tls/certs/test.server.com.crt
output key written to /etc/pki/tls/private/test.server.com.key
Generating key. This may take a few moments...
Made a key
Opened tmprequest for writing
(null): bad certificate request
: error -8016
-------------------------------------------------------------------------------------------------------------
The crash report is indicating that keyutil is getting a segmentation violation. No key file
is written, but a zero length certificate file is created before the crash.
So I'm wondering if this problem is just on my system(s), or is it occurring for others?
Thanks,
Pat
No longer able to generate certificates with genkey after latest 6.4 update
Re: No longer able to generate certificates with genkey after latest 6.4 update
Having the same issue after an upgrade to 6.4. Found any workarounds?
No longer able to generate certificates with genkey after la
See this [url=https://developer.mozilla.org/en-US/docs/NSS/NSS_3.14_release_notes]NSS_3.14_release_notes[/url].
[quote]
Support for certificate signatures using the MD5 hash algorithm is now disabled by default.
[/quote]
Then in the "Changes in NSS 3.14" section:
[quote]
Certificate signatures that make use of the MD5 hash algorithm will now be rejected by default. Support for MD5 may be manually enabled (but is discouraged) by setting the environment variable of "NSS_HASH_ALG_SUPPORT=+MD5" or by using the NSS_SetAlgorithmPolicy function. Note that SSL cipher suites with "MD5" in their names are NOT disabled by this change; those cipher suites use HMAC-MD5, not plain MD5, and are still considered safe.
[/quote]
[quote]
Support for certificate signatures using the MD5 hash algorithm is now disabled by default.
[/quote]
Then in the "Changes in NSS 3.14" section:
[quote]
Certificate signatures that make use of the MD5 hash algorithm will now be rejected by default. Support for MD5 may be manually enabled (but is discouraged) by setting the environment variable of "NSS_HASH_ALG_SUPPORT=+MD5" or by using the NSS_SetAlgorithmPolicy function. Note that SSL cipher suites with "MD5" in their names are NOT disabled by this change; those cipher suites use HMAC-MD5, not plain MD5, and are still considered safe.
[/quote]
Re: No longer able to generate certificates with genkey after latest 6.4 update
Thanks very much for this information. I was beginning to wonder whether this issue was going to be resolved.
Due to the discouraged use of the work-around, I should probably find an alternative (yet simple) way to generate
self-signed certificate and key files for use with the Apache web server.
Due to the discouraged use of the work-around, I should probably find an alternative (yet simple) way to generate
self-signed certificate and key files for use with the Apache web server.
-
sblantipodi
- Posts: 252
- Joined: 2009/07/10 09:43:13
- Contact:
Re: No longer able to generate certificates with genkey after latest 6.4 update
if we can't use genkey what should we use?
I'm following this guide to generate cert for my mail server, it always worked, how can I do now?
http://wiki.centos.org/HowTos/postfix_sasl
Please help.
I'm following this guide to generate cert for my mail server, it always worked, how can I do now?
http://wiki.centos.org/HowTos/postfix_sasl
Please help.