Problem with Genkey on RHEL 6.4
I am trying to generate a Key/Certificate pair and CSR with genkey for a RHEL version 6.4 server. I have done this for other servers running RHEL 5.* without problems. Those servers used identical data except for different host names.
I ran genkey and entered all the required data and waited for random numbers to be generated and then genkey returned with the following error in the graphical interface:
Unable to create a cert signing request for this host
The following text was displayed on the terminal when the graphical interface exited (I've put place holders in for (possibly) private data):
# genkey hostname.domain
/usr/bin/keyutil -c genreq -g 2048 -s "CN=hostname.domain, OU=Unit, O=Organization, L=City, ST=State, C=US, CompanyName=Company, Challenge=Phrase" -v 24 -a -o /etc/pki/tls/certs/hostname.domain.0.csr -k /etc/pki/tls/private/hostname.domain.key -z /etc/pki/tls/.rand.7864
cmdstr: genreq
cmd_CertReq
command: genreq
keysize = 2048 bits
subject = CN=hostname.domain, OU=Unit, O=Organization, L=City, ST=State, C=US, CompanyName=Company, Challenge=Phrase
valid for 24 months
output will be written to /etc/pki/tls/certs/hostname.domain.0.csr
output key written to /etc/pki/tls/private/hostname.domain.key
random seed from /etc/pki/tls/.rand.7864
Generating key. This may take a few moments...
(null): [root@mediajoe]#
The system also sent the email to root that is attached. It seems that genkey calls keyutil which crashes. I've searched and have not found any problems like this. I've run genkey many times with different challenge words (and none) and different key sizes. Has anyone seen a problem like this?
Thank you.
Email from root is attached.
Attachments
Responses
Greetings,
I tried to reproduce the issue,i got a different error that unable to generate the certificate, i.e Certificate request was generated was but certificate was not.
/usr/bin/keyutil -c genreq -g 512 -s "CN=mail4.example.org, O=My Company Ltd, L=Newbury, ST=Berkshire, C=GB" -v 24 -a -o /etc/pki/tls/certs/mail4.example.org.0.csr -k /etc/pki/tls/private/mail4.example.org.key -z /etc/pki/tls/.rand.17080
cmdstr: genreq
cmd_CertReq
command: genreq
keysize = 512 bits
subject = CN=mail4.example.org, O=My Company Ltd, L=Newbury, ST=Berkshire, C=GB
valid for 24 months
output will be written to /etc/pki/tls/certs/mail4.example.org.0.csr
output key written to /etc/pki/tls/private/mail4.example.org.key
random seed from /etc/pki/tls/.rand.17080
Generating key. This may take a few moments...
Made a key
Opened /etc/pki/tls/certs/mail4.example.org.0.csr for writing
Wrote the CSR to /etc/pki/tls/certs/mail4.example.org.0.csr
Wrote 486 bytes of encoded data to /etc/pki/tls/private/mail4.example.org.key
Wrote the key to:
/etc/pki/tls/private/mail4.example.org.key
/usr/bin/keyutil -c makecert -g 512 -s "CN=mail4.example.org, O=My Company Ltd, L=Newbury, ST=Berkshire, C=GB" -v 1 -a -z /etc/pki/tls/.rand.17080 -o /etc/pki/tls/certs/mail4.example.org.crt -k /etc/pki/tls/private/mail4.example.org.key
cmdstr: makecert
cmd_CreateNewCert
command: makecert
keysize = 512 bits
subject = CN=mail4.example.org, O=My Company Ltd, L=Newbury, ST=Berkshire, C=GB
valid for 1 months
random seed from /etc/pki/tls/.rand.17080
output will be written to /etc/pki/tls/certs/mail4.example.org.crt
output key written to /etc/pki/tls/private/mail4.example.org.key
My suggestion would be to open a ticket with support , to me looks like a bug, Also it would be better if you could provide the keyutils version .
Thanks,
Niranjan
Red Hat
Guru
3719 points
@Joseph: Yes I've experienced the same on RHEL 6.2 systems; however, despite being disconcerting, it's never actually prevented me from using the generated CSR. From your terminal output ....
output will be written to /etc/pki/tls/certs/hostname.domain.0.csr
output key written to /etc/pki/tls/private/hostname.domain.key
... it looks like it properly wrote out your CSR and your key. Ignore the fact that it seems to have crashed and use the CSR. It should be fine. I'm at home off the clock at the moment, but maybe next week I can look into seeing if there's an existing bug filed for this (I've never bothered to before since it was only a cosmetic issue I ran into when teaching classes about SSL; personally, I always use openssl for this sort of thing).
Red Hat
Guru
3719 points
Oh wow. Okay.
I'm starting a class in a few minutes so pardon the brevity, but if you need to do this fast, the man page you want is req(1), e.g.:
openssl req -out your.csr -new -newkey rsa:4096 -nodes -keyout yourpviate.key
No problem Joseph. The command I gave you would actually do it all; however, you might want to remove the -nodes option to encrypt the private key and you might want to change the 4096 to a lower byte-count. Other than that (and the filenames of course) you could pretty much run it as given.
Red Hat
Guru
3719 points
Oh wow awesome Joseph! You're most welcome. I was curious to see if I could find any RH documentation on this (because like you, I know that the Deployment Guide doesn't talk about openssl in this context).... and I found this:
Creating a 'Certificate Signing Request'
It's a bit messy and rambling at the moment; however, it does give multiple options to do what you've already accomplished -- generate a CSR.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.