[gnutls-help] certtool re-encrypt key [convert from unencrypted to encrypted]

listserv.traffic at sloop.net listserv.traffic at sloop.net
Wed Jun 21 20:44:52 CEST 2017

The archives at gmane are down/gone, so can't search the list archives.
Google search returns zilch. [My google-foo might be weak...]

Trying to encrypt a key after initial generation. The key was created without encryption.

I can't manage to get certtool to do this.
For example: certtool --load-privkey=ca-key.pem --outfile=ca-key-pass.pem --pkcs-cipher=aes256
Does not work.
I've tried quite a myriad of other things/variation too, to no avail.
I could probably do this in openssl, but why not do it all in certtool...

And before the inevitable chap leaps up and says "Just encrypt the key
the first time!" I'll forestall the whining by saying; "Yes, I want
the key unencrypted to start."  

Why? Well...
I'll often generate a bunch of keys/certs and I generally want the
CA's key unencrypted for ease of generating a batch of signed
certs/keys. [I really don't want to type in a complex password each

Thus, I'll generate the CA key without encryption. After I'm done
generating the batch of certs/keys I'd like to then encrypt [for the
first time] the CA key [or perhaps other keys] so it can't be used
later without a password.   

[And yes, I know all about how important not allowing anyone to get
the unencrypted key is... and why only a moron would generate it in
unencrypted form. Yadda yadda... Assume whatever you want. :) ]

I simply want to know how to accomplish key conversion both with a
password to no-password and vice-versa using certtool. 


More information about the Gnutls-help mailing list