<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class=""><br class=""></div><div class="">Hi Mike (and all).</div><div class=""><br class=""></div><div class="">Thanks for the info. I understand the implications of storing the randomized data to storage and precautions would be taken to air-gap this info from the outside world. </div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><blockquote type="cite" class=""><div dir="ltr" class=""><div class="">If not, you can use the TRNG for all newly issued certificates moving forward.</div></div></blockquote><br class=""></div><div class="">Can you pease syntax? I have googled but I’m unclear if this would be with -rand flag, or setting the RANDFILE variable, or something else. Provided the randomized numbers are in a binary file, can you advise how to use this file for the generation of future keys/certs from the existing CA.</div><div class=""><br class=""></div><div class="">Thank you</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><br class=""><div><blockquote type="cite" class=""><div class="">On Sep 3, 2015, at 2:23 AM, Mike Mohr <<a href="mailto:akihana@gmail.com" class="">akihana@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">Once you've written the random data to secondary storage you've permanently compromised the integrity of any cryptographic secrets generated from it. Depending on your threat model, underlying storage media, filesystem, and other factors the data files may be recoverable indefinitely (especially if you're using solid-state disks, due to their internal wear-leveling algorithms). Don't do that.<div class=""><br class=""></div><div class="">The cryptographic secrets contained in your existing CA infrastructure were presumably generated using some sort of PRNG, so you'd have to regenerate them if you think the PRNG was somehow compromised. If not, you can use the TRNG for all newly issued certificates moving forward. However, I'd suggest not using one of the proprietary devices which are encased in epoxy ... you have no way to verify that they're doing what they say they are. The data quality coming out of those is fairly suspect in my mind (despite any positive results from e.g. dieharder, etc).</div></div><div class="gmail_extra"><br class=""><div class="gmail_quote">On Wed, Sep 2, 2015 at 9:53 PM, Kevin Long <span dir="ltr" class=""><<a href="mailto:kevinlong206@gmail.com" target="_blank" class="">kevinlong206@gmail.com</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br class="">
<br class="">
Hello,<br class="">
<br class="">
I’m using openssl to administer a root/intermediate CA and I use the certificates for a number of web servers and other applications. All of my users install my root CA certificate for trust.<br class="">
<br class="">
I’ve been asked to use a hardware random number generator to create the keys/certificates going forward. I have a hardware RNG, and have created several files of random numbers using it, and I would like to know:<br class="">
<br class="">
1) Can I specify my random numbers file to create keys/certificates from my CA (openssl command line, mac or linux)<br class="">
<br class="">
2) Will this actually do any good, security wise, given how openssl certs/keys “work”. My users and superiors are concerned with backdoors in PRNGs and RNG predictabilities.<br class="">
<br class="">
3) If I can indeed use my own random numbers, does this mean I have to start my CA from scratch to take advantage of any benefit using “true” random numbers from my hardware RNG? or would simply using my RN’s for the generation of keys for new certificates going forward allow for the benefit the true randomness gives.<br class="">
<br class="">
Thank you.<br class="">
_______________________________________________<br class="">
openssl-users mailing list<br class="">
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank" class="">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br class="">
</blockquote></div><br class=""></div>
_______________________________________________<br class="">openssl-users mailing list<br class="">To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" class="">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br class=""></div></blockquote></div><br class=""></body></html>