I'm trying to setup a VPN server with OpenVPN, on an Ubuntu Server 18.04, and I want to use EasyRSA to build my PKI CA.
So, while connected as root, I launch the EasyRSA scripts which I copied to /etc/openvpn/easy-rsa. Everything works fine with ./clean-alland ./build-dh, but when I try to launch ./pkitool --initca, I get this error :
Can't load /root/.rnd into RNG 140171234709952:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/root/.rnd In the openssl confing file (/etc/openvpn/easy-rsa/openssl-1.0.0.cnf), I find this line which indicates why it tries to reach /root/.rnd :
RANDFILE = $ENV::HOME/.rnd From what I read and understood online, .rnd is a seed that openssl uses to generate random numbers. The strange thing is : even though I get this error, the RSA private key IS generated by the script. I just fear that it is not random, since it lacks a seed.
So my problem is : this file doesn't exist on my system, it is not in /root/, not in /home/user/ which is my only other user, and find / -name ".rnd" returns nothing. Even find / -iname "*.rnd" returns nothing.
And I don't even know how I can create it, or if I understood this all wrong.
14 Answers
even though I get this error, the RSA private key IS generated by the script
The file doesn't need to exist; OpenSSL creates it on its own after the first time.
I just fear that it is not random, since it lacks a seed.
The OS provides the seed using its own RNG through /dev/urandom or through system calls such as getentropy() or CryptGenRandom(). There's no need for you to provide anything extra.
I would guess that the .rnd file is more or less a leftover from the days when the OS lacked a good CSPRNG, possibly when the Linux /dev/urandom was considered poor-quality (and /dev/random produced data very slowly due to "entropy accounting"). Now it is no longer the case, and relying entirely on a seed stored on some file in your homedir would actually be less secure.
Create one in expected path
cd ~/; openssl rand -writerand .rnd 2OpenSSL creates it on its own after the first time.
Actually, it doesn't, no matter how many times I launch the script or if I just try to use the openssl rand command directly, it is never created.
But you were right : I generated two keys to check if they were different and they were.
Thank you for your help.
Remark the RANDFILE line in /etc/ssl/openssl.conf more
3