certtool never asks for CA-password when signing certificates

Tom Ackermann tomackermann at gmail.com
Fri Aug 24 09:42:11 CEST 2012


Hi all

I have already posted this in several (ubuntu-) forums but haven't received
any hints so far, maybe somebody on this list can shed some light on this:

When creating a CA with a password, certtool never again asks for the
password when signing new certificates.

Steps to reproduce (on Ubuntu 12.04, amd64)
----
[root at host] certtool -v
certtool (GnuTLS) 2.12.14
(...)
----

1. Create a private key for the CA:
----
$ [root at host] certtool --generate-privkey --outfile ca_tls.key --password
"secret"
(...)
----

2. Create a self-signed certificate for the CA
----
[root at host] certtool --generate-self-signed --load-privkey ca_tls.key
--outfile ca_tls.cert --password "secret"
Generating a self signed certificate...
Please enter the details of the certificate's distinguished name. Just
press enter to ignore a field.
(...)
Does the certificate belong to an authority? (y/N): y
Path length constraint (decimal, -1 for no constraint): -1
Is this a TLS web client certificate? (y/N): n
Will the certificate be used for IPsec IKE operations? (y/N):
Is this also a TLS web server certificate? (y/N): n
Enter the e-mail of the subject of the certificate:
Will the certificate be used to sign other certificates? (y/N): y
Will the certificate be used to sign CRLs? (y/N): y
Will the certificate be used to sign code? (y/N): y
Will the certificate be used to sign OCSP requests? (y/N): y
(...)
----

3. Create a key for the server
----
[root at host] certtool --generate-privkey --outfile server_tls.key
----

4. Create a certificate for the server
----
[root at host] certtool --generate-certificate --load-privkey server_tls.key
--load-ca-certificate ca_tls.cert --load-ca-privkey ca_tls.key --outfile
server_tls.cert
Generating a signed certificate...
Please enter the details of the certificate's distinguished name. Just
press enter to ignore a field.
(...)
Does the certificate belong to an authority? (y/N):
Is this a TLS web client certificate? (y/N):
Will the certificate be used for IPsec IKE operations? (y/N):
Is this also a TLS web server certificate? (y/N): y
Enter a dnsName of the subject of the certificate: server
Enter a dnsName of the subject of the certificate: server.com
Enter a dnsName of the subject of the certificate: www.server.com
Enter a dnsName of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)?
(y/N):
Will the certificate be used for encryption (RSA ciphersuites)? (y/N): y
(...)
Is the above information ok? (y/N): y

Signing certificate...
----

The certificate for the server gets created and works fine (e.g. importing
the CA cert in firefox and configuring apache with the server cert).
However, I would expect to be asked for the CA password (created in step1)
when signing the certificate in step 4. This doesn't happen.

By the way: Why can I even define a password for the CA certificate in step
2? I would think a password for the CA key should be sufficient?

Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20120824/0b9e25ea/attachment.htm>


More information about the Gnutls-help mailing list