OpenSSL hangs during PKCS12 export with "Loading 'screen' into random state"

Asked 8/12, 2015 at 13:17 Answered 20/1, 2022 at 7:5

122

I am generating a self-signed SSL certificate with OpenSSL (not makecert), for use in IIS.

openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes -subj '//CN=myhost'

(The double slash is correct. The command above does not work without that.)

openssl pkcs12 -export -out key.pfx -inkey key.pem -in cert.pem -name 'myhost'

The first command runs completes successfully. However the second get stuck with

Loading 'screen' into random state -

I am using OpenSSL (1.0.2d) that comes with Git for Windows (2.6.3). Anyone experiences the same issue?

Clarification: Question How to fix "unable to write 'random state' " in openssl describes different -- problem with writing the the .rnd file. Here the problem seems to be generating the random state. (And only in the second command.)

Conceptualism answered 8/12, 2015 at 13:17 Comment(3)

Have you tried with another version of OpenSSL (they have standalone builds) ? – Misdirect 9/12, 2015 at 13:52

No. (Finally, I have used MakeCert instead.) – Conceptualism 9/12, 2015 at 15:35

Possible duplicate of How to fix "unable to write 'random state' " in openssl. In addition, there are a couple of bugs on Windows; see Random Numbers | Windows Issues on the OpenSSL wiki. Finally, /CN=myhost is probably wrong; see How to create a self-signed certificate with openssl? – Compare 11/12, 2015 at 23:52

344

Please try to add winpty before oppenssl:

winpty openssl ...

or you can run a new bash wrapped by winpty:

winpty bash

In the windows console, there is some problem with terminal input/output so winpty can help if some software requires unix terminal behavior.

winpty helped me to run openssl in this environment:

git version 2.7.3.windows.1
OpenSSL 1.0.2g  1 Mar 2016

Epiphenomenon answered 5/7, 2016 at 11:45 Comment(2)

This answer and @Duncan Smart's answer are interchangable. When exporting a PFX file, OpenSSL prompts for a password, but apparently the terminal in Git for Windows can't handle this I/O so the command just hangs. Preceding the command with winpty wraps the command so that I/O works correctly, whereas passing -passout means OpenSSL no longer has to ask for a password. – Sekofski 19/3, 2020 at 19:42

It took 30 years, but the powershell console that ships with Windows 10 is finally capable of half-decent ANSI/VT emulation, see devblogs.microsoft.com/commandline/… . The openssl password prompt works correctly when run from the powershell console, you can run an editor over an ssh connection without corrupting every file you open, and you can cut and paste. You can even resize the terminal window. Now if I can only get rid of the unbearable "wake the dead" console beep... – Flyback 9/4, 2021 at 16:11

108

I found that I needed to specify the PFX password on the command line using -passout pass:SomePassword - e.g.:

openssl pkcs12 -export -out foo_example_com.pfx -inkey foo_example_com.key -in foo_example_com.crt -passout pass:Pa55w0rd

Mencher answered 24/1, 2016 at 16:28 Comment(2)

Thank you so much. It just hang without any indication that password MUST be provided. – Literacy 9/2, 2021 at 13:58

It works but really that's bypassing the issue not addressing it. It's a terminal issue, best resolved by the winpty answer. – Vicariate 8/3, 2022 at 19:41

Recently I hit the same when running openssl in an azure ubuntu VM over ssh from a windows 10 laptop. I tried openssl for windows also from windows command prompt and powershell. The root cause behind this seems to be terminal compatibility of openssl when using from windows command prompt.

I found that wsl (windows-subsystem-linux) based shell seem to be good and command goes through proper prompt instead of seem-to-be-hung. Steps here will be

Install ubuntu on windows
launch windows command prompt. Use wsl command to launch bash shell.
openssl tool is already available in this shell. it should give the password and verify password prompts.

Clariceclarie answered 20/1, 2022 at 7:5 Comment(2)

how to include the password into the line? – Nevers 13/6, 2023 at 5:38

@Nevers You can add -passout pass:YOURPASSWORD at the end of the command – Jamnes 7/12, 2023 at 9:0

Recommended topics

Hot tags