[gnutls-help] No password prompt with csr generation when input is an encrypted pkcs8 key

A L mail at lechevalier.se
Mon Feb 3 23:56:12 CET 2014

I am trying to automate some of the key generation and request
operations with certtool (gnutls 3.2.9).

Normally omitting the --password from command line makes certtool prompt
the user for a password, which is perfect in my shell scripts.

# certtool --generate-privkey --rsa --pkcs8 --outfile

Generating a 2432 bit RSA private key...
Enter password:

It seems that when generating a CSR from an encrypted key, this does not

#certtool --generate-request --load-privkey example.com-privkey.pk8 \
--template example.com.cfg --outfile example.com-pubkey.csr

Generating a PKCS #10 certificate request...
importing --load-privkey: example.com-privkey.pk8: Decryption has failed.

Is it possible to make certtool prompt for the password to decrypt the
pkcs8 file? Or is it possible to have certtool reading the password from
a file descriptor or a named pipe?

If not, it presents some problems. I can either add the password=secret
to template.cfg or use the --password command line. Both seems very
insecure. Third option is to store the plaintext key as
example.com-privkey.pem, which can't be a good alternative either.


More information about the Gnutls-help mailing list