[gnutls-help] Creating password protected private keys with certtool?

Josef Wolf jw at raven.inka.de
Wed May 14 18:47:00 CEST 2014

On Wed, May 14, 2014 at 04:58:04PM +0200, Josef Wolf wrote:
> I just noticed that I get encrypted keys when I use the --pkcs8 option. But
> then, certtool insists to read the password from the keyboard. Is it possible
> to provide the password on stdin or something?

Unfortunately, --generate-self-signed don't seem to be able to handle
encrypted keys:

  $ certtool --pkcs8 --generate-privkey --sec-param=high --outfile x509-ca-key.pem
  Generating a 3248 bit RSA private key...
  Enter password: 
  $ certtool --pkcs8 --generate-self-signed --template ca.templ --load-privkey x509-ca-key.pem --outfile x509-ca.pem
  Generating a self signed certificate...
  certtool: importing --load-privkey: x509-ca-key.pem: Decryption has failed.

Note that --generate-self-signed don't ask for the password.

This time 3.2.4 from opensuse-13.1

Josef Wolf
jw at raven.inka.de

More information about the Gnutls-help mailing list