diff --git a/Makefile.certificate b/Makefile.certificate
index bf3dc21..e839427 100644
--- a/Makefile.certificate
+++ b/Makefile.certificate
@@ -38,7 +38,7 @@ usage:
 	umask 77 ; \
 	PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
 	PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
-	/usr/bin/openssl req $(UTF8) -newkey rsa:1024 -keyout $$PEM1 -nodes -x509 -days 365 -out $$PEM2 -set_serial $(SERIAL) ; \
+	/usr/bin/openssl req $(UTF8) -newkey rsa:2048 -keyout $$PEM1 -nodes -x509 -days 365 -out $$PEM2 -set_serial $(SERIAL) ; \
 	cat $$PEM1 >  $@ ; \
 	echo ""    >> $@ ; \
 	cat $$PEM2 >> $@ ; \
@@ -46,7 +46,7 @@ usage:
 
 %.key:
 	umask 77 ; \
-	/usr/bin/openssl genrsa -des3 1024 > $@
+	/usr/bin/openssl genrsa -aes128 2048 > $@
 
 %.csr: %.key
 	umask 77 ; \
diff --git a/make-dummy-cert b/make-dummy-cert
index 3aff5be..f5f0453 100755
--- a/make-dummy-cert
+++ b/make-dummy-cert
@@ -20,7 +20,7 @@ for target in $@ ; do
 	PEM1=`/bin/mktemp /tmp/openssl.XXXXXX`
 	PEM2=`/bin/mktemp /tmp/openssl.XXXXXX`
 	trap "rm -f $PEM1 $PEM2" SIGINT
-	answers | /usr/bin/openssl req -newkey rsa:1024 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 2> /dev/null
+	answers | /usr/bin/openssl req -newkey rsa:2048 -keyout $PEM1 -nodes -x509 -days 365 -out $PEM2 2> /dev/null
 	cat $PEM1 >  ${target}
 	echo ""   >> ${target}
 	cat $PEM2 >> ${target}
diff --git a/openssl-0.9.8a-defaults.patch b/openssl-0.9.8a-defaults.patch
index 5a4db7b..391d117 100644
--- a/openssl-0.9.8a-defaults.patch
+++ b/openssl-0.9.8a-defaults.patch
@@ -1,9 +1,10 @@
 --- openssl-0.9.8a/apps/openssl.cnf.defaults	2005-09-16 14:20:24.000000000 +0200
 +++ openssl-0.9.8a/apps/openssl.cnf	2005-11-04 11:00:37.000000000 +0100
-@@ -99,6 +99,7 @@
+@@ -99,7 +99,8 @@
  ####################################################################
  [ req ]
- default_bits		= 1024
+-default_bits		= 1024
++default_bits		= 2048
 +default_md		= sha1
  default_keyfile 	= privkey.pem
  distinguished_name	= req_distinguished_name
diff --git a/openssl-0.9.8j-ca-dir.patch b/openssl-0.9.8j-ca-dir.patch
index 52c0025..17cd3f9 100644
--- a/openssl-0.9.8j-ca-dir.patch
+++ b/openssl-0.9.8j-ca-dir.patch
@@ -6,7 +6,7 @@ diff -up openssl-0.9.8j/apps/openssl.cnf.ca-dir openssl-0.9.8j/apps/openssl.cnf
  [ CA_default ]
  
 -dir		= ./demoCA		# Where everything is kept
-+dir		= ../../CA		# Where everything is kept
++dir		= /etc/pki/CA		# Where everything is kept
  certs		= $dir/certs		# Where the issued certs are kept
  crl_dir		= $dir/crl		# Where the issued crl are kept
  database	= $dir/index.txt	# database index file.
@@ -18,7 +18,7 @@ diff -up openssl-0.9.8j/apps/CA.sh.ca-dir openssl-0.9.8j/apps/CA.sh
  X509="$OPENSSL x509"
  
 -CATOP=./demoCA
-+CATOP=../../CA
++CATOP=/etc/pki/CA
  CAKEY=./cakey.pem
  CAREQ=./careq.pem
  CACERT=./cacert.pem
@@ -30,7 +30,7 @@ diff -up openssl-0.9.8j/apps/CA.pl.in.ca-dir openssl-0.9.8j/apps/CA.pl.in
  $PKCS12="$openssl pkcs12";
  
 -$CATOP="./demoCA";
-+$CATOP="../../CA";
++$CATOP="/etc/pki/CA";
  $CAKEY="cakey.pem";
  $CAREQ="careq.pem";
  $CACERT="cacert.pem";
diff --git a/openssl-0.9.8j-fips-rng-seed.patch b/openssl-0.9.8k-fips-rng-seed.patch
similarity index 61%
rename from openssl-0.9.8j-fips-rng-seed.patch
rename to openssl-0.9.8k-fips-rng-seed.patch
index 0c24d89..a8346b5 100644
--- a/openssl-0.9.8j-fips-rng-seed.patch
+++ b/openssl-0.9.8k-fips-rng-seed.patch
@@ -1,6 +1,6 @@
-diff -up openssl-0.9.8j/crypto/rand/rand_lcl.h.rng-seed openssl-0.9.8j/crypto/rand/rand_lcl.h
---- openssl-0.9.8j/crypto/rand/rand_lcl.h.rng-seed	2009-02-02 13:40:37.000000000 +0100
-+++ openssl-0.9.8j/crypto/rand/rand_lcl.h	2009-02-02 13:50:42.000000000 +0100
+diff -up openssl-0.9.8k/crypto/rand/rand_lcl.h.rng-seed openssl-0.9.8k/crypto/rand/rand_lcl.h
+--- openssl-0.9.8k/crypto/rand/rand_lcl.h.rng-seed	2009-04-21 11:43:58.000000000 +0200
++++ openssl-0.9.8k/crypto/rand/rand_lcl.h	2009-04-21 11:44:01.000000000 +0200
 @@ -112,7 +112,7 @@
  #ifndef HEADER_RAND_LCL_H
  #define HEADER_RAND_LCL_H
@@ -10,32 +10,9 @@ diff -up openssl-0.9.8j/crypto/rand/rand_lcl.h.rng-seed openssl-0.9.8j/crypto/ra
  
  
  #if !defined(USE_MD5_RAND) && !defined(USE_SHA1_RAND) && !defined(USE_MDC2_RAND) && !defined(USE_MD2_RAND)
-diff -up openssl-0.9.8j/fips/rand/fips_rand.c.rng-seed openssl-0.9.8j/fips/rand/fips_rand.c
---- openssl-0.9.8j/fips/rand/fips_rand.c.rng-seed	2008-09-16 12:12:18.000000000 +0200
-+++ openssl-0.9.8j/fips/rand/fips_rand.c	2009-02-02 14:06:58.000000000 +0100
-@@ -155,7 +155,18 @@ static int fips_set_prng_seed(FIPS_PRNG_
- 	{
- 	int i;
- 	if (!ctx->keyed)
--		return 0;
-+		{
-+		FIPS_RAND_SIZE_T keylen = 16;
-+
-+		if (seedlen - keylen < AES_BLOCK_LENGTH)
-+			return 0;
-+		if (seedlen - keylen - 8 >= AES_BLOCK_LENGTH)
-+			keylen += 8;
-+		if (seedlen - keylen - 8 >= AES_BLOCK_LENGTH)
-+			keylen += 8;
-+		seedlen -= keylen;
-+		fips_set_prng_key(ctx, seed+seedlen, keylen);
-+		}
- 	/* In test mode seed is just supplied data */
- 	if (ctx->test_mode)
- 		{
-diff -up openssl-0.9.8j/fips/fips.c.rng-seed openssl-0.9.8j/fips/fips.c
---- openssl-0.9.8j/fips/fips.c.rng-seed	2009-02-02 13:40:38.000000000 +0100
-+++ openssl-0.9.8j/fips/fips.c	2009-02-02 13:49:32.000000000 +0100
+diff -up openssl-0.9.8k/fips/fips.c.rng-seed openssl-0.9.8k/fips/fips.c
+--- openssl-0.9.8k/fips/fips.c.rng-seed	2009-04-21 11:44:01.000000000 +0200
++++ openssl-0.9.8k/fips/fips.c	2009-04-21 11:44:02.000000000 +0200
 @@ -509,22 +509,22 @@ int FIPS_mode_set(int onoff)
  	    goto end;
  	    }
@@ -65,3 +42,34 @@ diff -up openssl-0.9.8j/fips/fips.c.rng-seed openssl-0.9.8j/fips/fips.c
  	if(FIPS_selftest())
  	    fips_set_mode(1);
  	else
+diff -up openssl-0.9.8k/fips/rand/fips_rand.c.rng-seed openssl-0.9.8k/fips/rand/fips_rand.c
+--- openssl-0.9.8k/fips/rand/fips_rand.c.rng-seed	2008-09-16 12:12:18.000000000 +0200
++++ openssl-0.9.8k/fips/rand/fips_rand.c	2009-06-30 12:00:53.000000000 +0200
+@@ -155,7 +155,18 @@ static int fips_set_prng_seed(FIPS_PRNG_
+ 	{
+ 	int i;
+ 	if (!ctx->keyed)
+-		return 0;
++		{
++		FIPS_RAND_SIZE_T keylen = 16;
++
++		if (seedlen - keylen < AES_BLOCK_LENGTH)
++			return 0;
++		if (seedlen - keylen - 8 >= AES_BLOCK_LENGTH)
++			keylen += 8;
++		if (seedlen - keylen - 8 >= AES_BLOCK_LENGTH)
++			keylen += 8;
++		seedlen -= keylen;
++		fips_set_prng_key(ctx, seed+seedlen, keylen);
++		}
+ 	/* In test mode seed is just supplied data */
+ 	if (ctx->test_mode)
+ 		{
+@@ -276,6 +287,7 @@ static int fips_rand(FIPS_PRNG_CTX *ctx,
+ 	unsigned char R[AES_BLOCK_LENGTH], I[AES_BLOCK_LENGTH];
+ 	unsigned char tmp[AES_BLOCK_LENGTH];
+ 	int i;
++	FIPS_selftest_check();
+ 	if (ctx->error)
+ 		{
+ 		RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_ERROR);
diff --git a/openssl.spec b/openssl.spec
index da5cbe8..6dcebc3 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -23,7 +23,7 @@
 Summary: A general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 0.9.8k
-Release: 5%{?dist}
+Release: 6%{?dist}
 # We remove certain patented algorithms from the openssl source tarball
 # with the hobble-openssl script which is included below.
 Source: openssl-%{version}-usa.tar.bz2
@@ -33,6 +33,7 @@ Source6: make-dummy-cert
 Source8: openssl-thread-test.c
 Source9: opensslconf-new.h
 Source10: opensslconf-new-warning.h
+Source11: README.FIPS
 # Build changes
 Patch0: openssl-0.9.8j-redhat.patch
 Patch1: openssl-0.9.8a-defaults.patch
@@ -63,10 +64,11 @@ Patch46: openssl-0.9.8j-eap-fast.patch
 Patch47: openssl-0.9.8j-readme-warning.patch
 Patch48: openssl-0.9.8j-bad-mime.patch
 Patch49: openssl-0.9.8j-fips-no-pairwise.patch
-Patch50: openssl-0.9.8j-fips-rng-seed.patch
+Patch50: openssl-0.9.8k-fips-rng-seed.patch
 Patch51: openssl-0.9.8k-multi-crl.patch
 Patch52: openssl-0.9.8k-dtls-compat.patch
 Patch53: openssl-0.9.8k-dtls-dos.patch
+Patch54: openssl-0.9.8k-algo-doc.patch
 # Backported fixes including security fixes
 
 License: OpenSSL
@@ -154,6 +156,7 @@ from other formats to the formats used by the OpenSSL toolkit.
 %patch51 -p1 -b .multi-crl
 %patch52 -p1 -b .dtls-compat
 %patch53 -p1 -b .dtls-dos
+%patch54 -p1 -b .algo-doc
 
 # Modify the various perl scripts to reference perl in the right location.
 perl util/perlpath.pl `dirname %{__perl}`
@@ -212,6 +215,9 @@ make all
 # Generate hashes for the included certs.
 make rehash
 
+# Overwrite FIPS README
+cp -f %{SOURCE11} .
+
 %check
 # Verify that what was compiled actually works.
 
@@ -364,6 +370,7 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %doc doc/c-indentation.el doc/openssl.txt
 %doc doc/openssl_button.html doc/openssl_button.gif
 %doc doc/ssleay.txt
+%doc README.FIPS
 %dir %{_sysconfdir}/pki/tls
 %dir %{_sysconfdir}/pki/tls/certs
 %{_sysconfdir}/pki/tls/certs/make-dummy-cert
@@ -412,6 +419,13 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %postun -p /sbin/ldconfig
 
 %changelog
+* Tue Jun 30 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8k-6
+- abort if selftests failed and random number generator is polled
+- mention EVP_aes and EVP_sha2xx routines in the manpages
+- add README.FIPS
+- make CA dir absolute path (#445344)
+- change default length for RSA key generation to 2048 (#484101)
+
 * Thu May 21 2009 Tomas Mraz <tmraz@redhat.com> 0.9.8k-5
 - fix CVE-2009-1377 CVE-2009-1378 CVE-2009-1379
   (DTLS DoS problems) (#501253, #501254, #501572)