[openssl-dev] FIPS compliant digital signature

Dr. Stephen Henson steve at openssl.org
Wed Feb 4 19:21:19 UTC 2015

On Wed, Feb 04, 2015, Rex Bloom wrote:

> Can someone help me understand what type of digital signature I can use for FIPS compliance.
> I used this command:
> openssl genrsa -aes128 -passout pass:mypassphrase -out privkey.pem 2048
> to generate a pem file but when I tried to load this as follows:
> RSA *rkey = PEM_read_bio_RSAPrivateKey( bio, 0, 0, (void*)"mypassphrase");
> I receive this error
> error:060A80A3:digital envelope routines:FIPS_DIGESTINIT:disabled for fips'.
> Can you point to anything I am doing wrong here?

This is an openssl-users question not openssl-dev.

You need to be in FIPS mode when you create the key. So if you do:

OPENSSL_FIPS=1 openssl genrsa ...

It should work.

Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

More information about the openssl-dev mailing list