[gnutls-help] Creating password protected private keys with certtool?

Josef Wolf jw at raven.inka.de
Thu May 15 14:22:17 CEST 2014

On Thu, May 15, 2014 at 02:05:35PM +0200, Nikos Mavrogiannopoulos wrote:
> On Thu, May 15, 2014 at 1:06 PM, Josef Wolf <jw at raven.inka.de> wrote:
> > On Thu, May 15, 2014 at 11:52:31AM +0200, Noel Kuntze wrote:
> >> You can pass /dev/stdin instead of the file.
> >> /dev/stdin is a special device on *nix systems pointing to the program's standard input.
> >> If certtool doesn't do seeks on the file, it should work fine.
> > Noel, this sounds reasonable. But certtool insists to get a regular file:
> >   $ certtool --pkcs8 --template /dev/stdin --generate-privkey --outfile CA-key.pem
> >   fs error 22 (Invalid argument) on stat-ing for regular file /dev/stdin for option template
> Good to know. It was imposed by autogen's file option. I've now lifted
> that limitation.

Nikos, I'm not really sure whether this is a good idea. After all, insisting
on regular files prevents against symlink attacks.

Maybe a better solution would be to go for the unix tradition and special-case
the '-' to mean stdin/stdout (depending on context)

Josef Wolf
jw at raven.inka.de

More information about the Gnutls-help mailing list