[gnutls-help] No password prompt with csr generation when input is an encrypted pkcs8 key
mail at lechevalier.se
Mon Feb 3 23:56:12 CET 2014
I am trying to automate some of the key generation and request
operations with certtool (gnutls 3.2.9).
Normally omitting the --password from command line makes certtool prompt
the user for a password, which is perfect in my shell scripts.
# certtool --generate-privkey --rsa --pkcs8 --outfile
Generating a 2432 bit RSA private key...
It seems that when generating a CSR from an encrypted key, this does not
#certtool --generate-request --load-privkey example.com-privkey.pk8 \
--template example.com.cfg --outfile example.com-pubkey.csr
Generating a PKCS #10 certificate request...
importing --load-privkey: example.com-privkey.pk8: Decryption has failed.
Is it possible to make certtool prompt for the password to decrypt the
pkcs8 file? Or is it possible to have certtool reading the password from
a file descriptor or a named pipe?
If not, it presents some problems. I can either add the password=secret
to template.cfg or use the --password command line. Both seems very
insecure. Third option is to store the plaintext key as
example.com-privkey.pem, which can't be a good alternative either.
More information about the Gnutls-help