No longer able to generate certificates with genkey after latest 6.4 update

General support questions
Post Reply
PatP
Posts: 4
Joined: 2013/03/11 16:21:44

No longer able to generate certificates with genkey after latest 6.4 update

Post by PatP » 2013/03/11 16:48:06

Is anyone else having this problem? After updating a 6.3 system with the latest 6.4 updates,
keyutil (which is run by genkey) is getting a segmentation violation when generating a
self-signed certificate. I have used VMware snapshots to repeatedly test this on a 6.3 system
(last updated in January) and a 6.4 system with the most current updates.

Below is the output from the certificate generation attempts; the first is the successful attempt
on Centos 6.3, and the second is the unsuccessful attempt after updating to Centos 6.4:

-------------------------- Successful Attempt on Centos 6.3 -----------------------------------------------------

[root@vm0 tls]# genkey --days 375 test.server.com
/usr/bin/keyutil -c makecert -g 1024 -s "CN=test.server.com, O=Network Innovations, L=Calgary, ST=Alberta, C=CA" -v 12 -a -z /etc/pki/tls/.rand.2721 -o /etc/pki/tls/certs/test.server.com.crt -k /etc/pki/tls/private/test.server.com.key
cmdstr: makecert

cmd_CreateNewCert
command: makecert
keysize = 1024 bits
subject = CN=test.server.com, O=Network Innovations, L=Calgary, ST=Alberta, C=CA
valid for 12 months
random seed from /etc/pki/tls/.rand.2721
output will be written to /etc/pki/tls/certs/test.server.com.crt
output key written to /etc/pki/tls/private/test.server.com.key


Generating key. This may take a few moments...

Made a key
Opened tmprequest for writing
(null) Copying the cert pointer
Created a certificate
Wrote 882 bytes of encoded data to /etc/pki/tls/private/test.server.com.key
Wrote the key to:
/etc/pki/tls/private/test.server.com.key

-------------------------- Unsuccessful Attempt on Centos 6.4 -----------------------------------------------------

[root@vm0 tls]# genkey --days 375 test.server.com
/usr/bin/keyutil -c makecert -g 1024 -s "CN=test.server.com, O=Network Innovations, L=Calgary, ST=Alberta, C=CA" -v 12 -a -z /etc/pki/tls/.rand.1296 -o /etc/pki/tls/certs/test.server.com.crt -k /etc/pki/tls/private/test.server.com.key
cmdstr: makecert

cmd_CreateNewCert
command: makecert
keysize = 1024 bits
subject = CN=test.server.com, O=Network Innovations, L=Calgary, ST=Alberta, C=CA
valid for 12 months
random seed from /etc/pki/tls/.rand.1296
output will be written to /etc/pki/tls/certs/test.server.com.crt
output key written to /etc/pki/tls/private/test.server.com.key


Generating key. This may take a few moments...

Made a key
Opened tmprequest for writing
(null): bad certificate request
: error -8016

-------------------------------------------------------------------------------------------------------------

The crash report is indicating that keyutil is getting a segmentation violation. No key file
is written, but a zero length certificate file is created before the crash.

So I'm wondering if this problem is just on my system(s), or is it occurring for others?

Thanks,

Pat

codybuell
Posts: 1
Joined: 2013/04/08 21:58:28

Re: No longer able to generate certificates with genkey after latest 6.4 update

Post by codybuell » 2013/04/08 22:01:40

Having the same issue after an upgrade to 6.4. Found any workarounds?

User avatar
toracat
Forum Moderator
Posts: 7439
Joined: 2006/09/03 16:37:24
Location: California, US
Contact:

No longer able to generate certificates with genkey after la

Post by toracat » 2013/04/09 00:02:46

See this [url=https://developer.mozilla.org/en-US/docs/NSS/NSS_3.14_release_notes]NSS_3.14_release_notes[/url].

[quote]
Support for certificate signatures using the MD5 hash algorithm is now disabled by default.
[/quote]

Then in the "Changes in NSS 3.14" section:

[quote]
Certificate signatures that make use of the MD5 hash algorithm will now be rejected by default. Support for MD5 may be manually enabled (but is discouraged) by setting the environment variable of "NSS_HASH_ALG_SUPPORT=+MD5" or by using the NSS_SetAlgorithmPolicy function. Note that SSL cipher suites with "MD5" in their names are NOT disabled by this change; those cipher suites use HMAC-MD5, not plain MD5, and are still considered safe.
[/quote]

PatP
Posts: 4
Joined: 2013/03/11 16:21:44

Re: No longer able to generate certificates with genkey after latest 6.4 update

Post by PatP » 2013/04/09 15:44:43

Thanks very much for this information. I was beginning to wonder whether this issue was going to be resolved.
Due to the discouraged use of the work-around, I should probably find an alternative (yet simple) way to generate
self-signed certificate and key files for use with the Apache web server.

User avatar
toracat
Forum Moderator
Posts: 7439
Joined: 2006/09/03 16:37:24
Location: California, US
Contact:

Re: No longer able to generate certificates with genkey after latest 6.4 update

Post by toracat » 2013/04/09 16:52:45

Use openssl ?

sblantipodi
Posts: 252
Joined: 2009/07/10 09:43:13
Contact:

Re: No longer able to generate certificates with genkey after latest 6.4 update

Post by sblantipodi » 2013/05/27 15:21:09

if we can't use genkey what should we use?
I'm following this guide to generate cert for my mail server, it always worked, how can I do now?
http://wiki.centos.org/HowTos/postfix_sasl

Please help.

Post Reply

Return to “CentOS 6 - General Support”