[gnutls-help] certtool re-encrypt key [convert from unencrypted to encrypted]

listserv.traffic at sloop.net listserv.traffic at sloop.net
Wed Jun 21 23:37:18 CEST 2017

> The archives at gmane are down/gone, so can't search the list archives.
> Google search returns zilch. [My google-foo might be weak...]

> Trying to encrypt a key after initial generation. The key was created without encryption.

> I can't manage to get certtool to do this.
> For example: certtool --load-privkey=ca-key.pem
> --outfile=ca-key-pass.pem --pkcs-cipher=aes256
> Does not work.
> I've tried quite a myriad of other things/variation too, to no avail.
> I could probably do this in openssl, but why not do it all in certtool...

> And before the inevitable chap leaps up and says "Just encrypt the key
> the first time!" I'll forestall the whining by saying; "Yes, I want
> the key unencrypted to start."  

> Why? Well...
> I'll often generate a bunch of keys/certs and I generally want the
> CA's key unencrypted for ease of generating a batch of signed
> certs/keys. [I really don't want to type in a complex password each
> time.]

> Thus, I'll generate the CA key without encryption. After I'm done
> generating the batch of certs/keys I'd like to then encrypt [for the
> first time] the CA key [or perhaps other keys] so it can't be used
> later without a password.   

> [And yes, I know all about how important not allowing anyone to get
> the unencrypted key is... and why only a moron would generate it in
> unencrypted form. Yadda yadda... Assume whatever you want. :) ]

> I simply want to know how to accomplish key conversion both with a
> password to no-password and vice-versa using certtool. 

Answering my own question after a lot more experimenting...

The following will encrypt a non-encrypted key. [with AES-256-CBC - pretty much the only encryption scheme I'd recommend, unless you have compatibility issues..]
certtool --load-privkey=ca-key.pem --to-p8 --outfile=ca-key-pass.pem --pkcs-cipher=aes-256

The method I have for decryption probably isn't the "correct" way, but a fair bit of experimenting didn't find anything better...
certtool --infile=ca-key-pass.pem --key-info > ca-key-nopass.pem

That will decrypt the key, but will include header info that's not on a "normal" key - so you'll want to strip that off - at the time of writing this, that would be the top seven lines.

Glad to be corrected, or have better ways to accomplish the above, if someone knows it.

The above were tested on Windows ports of the gnu-tls utilities, but I'd expect them to work exactly the same regardless of platform.
On that note: The latest compiled build of the Windows version is really quite old [from late 2016], and hasn't been updated for bugs or security patches. When might a new binary for Windows be available? 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170621/10eae685/attachment.html>

More information about the Gnutls-help mailing list