Manualshelf

OpenSSL A.00.09.08q.001, A.00.09.08q.002, and A.00.09.08q.003 release notes (5900-1560, February 2011)

ManualsBrandsHP ManualsSoftwareHP-UX OpenSSL Software
11121314151617181920
The Openssl command-line tool
The openssl command-line tool is an interactive tool that enables you to execute cryptographic
functions. It supports the following features:
Creating and viewing secret keys
Encrypting or decrypting files using secret-key ciphers
Calculating message digests for files
Creating and viewing RSA, DSA, and DH public keys
Encrypting or decrypting a file using a public key or private key, respectively
Creating X.509 certificates, certificate requests, and Certificate Revocation Lists (CRL)
Managing the Certificate Authority (CA)
Strong random number generator for HP-UX 11i V1
OpenSSL A.00.09.07m requires a strong random number generator to provide secure and non
reproducible keys and certificates.
OpenSSL A.00.09.07m looks for the random number generator in the following order:
1. /dev/urandom
2. /dev/random
3. /opt/openssl/prngd/prngd
If none of these random number generators are available on the system, OpenSSL returns an error
while executing cryptographic functions. To prevent this situation, OpenSSL for HP-UX 11i V1
includes the /opt/openssl/prngd/prngd random number generator. The prngd server reads
HP-UX commands from the prngd.conf file, computes random numbers based on certain
parameters, and writes the computed random numbers to an HP-UX socket located in the /var/
run/egd-pool directory. OpenSSL functions can connect to and read random numbers from this
socket. The HP-UX 11i V2 and HP-UX 11i V3 operating systems contain /dev/random by default;
therefore, it does not require /opt/openssl/prngd/prngd. Random number generation using
/dev/urandom or /dev/random is faster than using /opt/openssl/prngd/prngd. HP-UX
11i V1 users can download /dev/random from the following location: http://
www.software.hp.com
Automatically generated self-signed host certificate
An SSL-enabled server must be identified by a host certificate. A certificate also identifies the
network host, the name and ID of the Certificate Authority (CA), and expiry date of the certificate.
Before you can deploy an SSL-enabled server for production, it must acquire a certificate signed
by a legitimate CA. However, for testing purposes the certificate can be self-signed, that is, signed
by the application generating the certificate. Setting up a certificate hierarchy can be
time-consuming. If a self-signed certificate is available, you can direct your SSL server to this
certificate during testing. OpenSSL automatically generates a self-signed host certificate and private
key. The host certificate is stored as /opt/openssl/certs/host.pem and the private key of
the host certificate is saved as /opt/openssl/private/hostkey.pem. The subject name of
the certificate is as follows:
C=US, ST=CA, L=City, O=Company,
CN=localhost/emailAddress=www@localhost
You can also generate a self-signed host certificate using the following command:
$ openssl req -new -x509 -out /opt/openssl/certs/host.pem
-keyout /opt/openssl/private/hostkey.pem -nodes
-subj /C=US/ST=CA/L=City/O=Company/CN=localhost/emailAddress=www@localhost
OpenSSL components 15