[gnutls-help] Creating password protected private keys with certtool?

Nikos Mavrogiannopoulos nmav at gnutls.org
Wed May 14 22:00:30 CEST 2014

On Wed, 2014-05-14 at 18:47 +0200, Josef Wolf wrote:
> On Wed, May 14, 2014 at 04:58:04PM +0200, Josef Wolf wrote:
> > I just noticed that I get encrypted keys when I use the --pkcs8 option. But
> > then, certtool insists to read the password from the keyboard. Is it possible
> > to provide the password on stdin or something?
> Unfortunately, --generate-self-signed don't seem to be able to handle
> encrypted keys:
>   $ certtool --pkcs8 --generate-privkey --sec-param=high --outfile x509-ca-key.pem
>   Generating a 3248 bit RSA private key...
>   Enter password: 
>   $ certtool --pkcs8 --generate-self-signed --template ca.templ --load-privkey x509-ca-key.pem --outfile x509-ca.pem
>   Generating a self signed certificate...
>   certtool: importing --load-privkey: x509-ca-key.pem: Decryption has failed.
> Note that --generate-self-signed don't ask for the password.

If you use a template certtool enters non-interactive mode (batch mode).
Then you can only specify the password in the template or use --ask-pass
(in the latest versions).


More information about the Gnutls-help mailing list