[gnutls-help] Creating password protected private keys with certtool?

Josef Wolf jw at raven.inka.de
Thu May 15 11:47:05 CEST 2014

On Wed, May 14, 2014 at 10:00:30PM +0200, Nikos Mavrogiannopoulos wrote:
> On Wed, 2014-05-14 at 18:47 +0200, Josef Wolf wrote:
> > Note that --generate-self-signed don't ask for the password.
> If you use a template certtool enters non-interactive mode (batch mode).
> Then you can only specify the password in the template or use --ask-pass
> (in the latest versions).

Oh, I see.

Is there any other way to non-interactively pass the password?

Passing via --password makes it visible to the ps command.

Passing via file makes it readable in the case of crashes, when the removal of
the file might fail.

I tried the usual unix convention to pass the template on stdin by giving '-',
but certtool tries to open a file named '-' then.

I know, I can play tricks like deleting the file before writing to it and pass
/proc/xxx/fd/yy as filename to certtool. But that would be highly unportable.

Josef Wolf
jw at raven.inka.de

More information about the Gnutls-help mailing list