[gnutls-help] Is it possible to invoke certtool to create a self signed certificate using a pkcs #8 key and a template file?

Samuel Harmer samuelharmer at gmail.com
Sun Jan 5 11:24:23 CET 2014


Dear GnuTLS mailing list,

I have posted this to ubuntu.stackexchange.com already but have a feeling
this mailing list might know a bit more. Alternative solutions welcome
although I'm deliberately trying to avoid OpenSSL, which I'm pretty sure is
capable of handling this.

I'm struggling with certtool from the gnutls package on Ubuntu server
12.04.3. I'm trying to follow this guide (
https://help.ubuntu.com/community/GnuTLS) but with an encrypted key.

I've created my encrypted private key like so.

# certtool \
>  --generate-privkey \
>  --pkcs8 \
>  --sec-param low \
>  --pkcs-cipher aes-256 \
>  --outfile ca_key.pkcs8
Generating a 1248 bit RSA private key...
Enter password:
Confirm password:

Now I would like to create a self signed certificate using this key with
the following command. Instead of prompting me for the password for the
private key though, I get the following error.

# certtool \
>  --generate-self-signed \
>  --load-privkey ca_key.pkcs8 \
>  --pkcs8 \
>  --pkcs-cipher aes-256 \
>  --template ca_template
Generating a self signed certificate...
Segmentation fault (core dumped)

If I attempt this with the same template and an unencrypted private key it
works. Or if I use the encrypted key without a template, it also works.

# certtool --generate-privkey --sec-param low --outfile ca_key
Generating a 1248 bit RSA private key...
# certtool --generate-self-signed --load-privkey ca_key --template
ca_template
Generating a self signed certificate...
X.509 Certificate Information:
        Version: 3
...

# certtool --generate-self-signed --load-privkey ca_key.pkcs8 --pkcs8
--pkcs-cipher aes-256
Generating a self signed certificate...
Enter password:
Please enter the details of the certificate's distinguished name. Just
press enter to ignore a field.
Country name (2 chars): GB
...

Is there a way to make certtool accept both a template file and an
encrypted private key? Or do I need to script the decryption of the private
key to a temporary key file to pass to certtool?

Thanks and regards,
Samuel H.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20140105/771ee7eb/attachment.html>


More information about the Gnutls-help mailing list