[gnutls-help] Generating self-signed cert requires PIN??

MK mk at cognitivedissonance.ca
Tue Feb 4 23:16:09 CET 2020


I've been using certtool  intermittently for years and I don't recall ever having this problem trying to generate a self-signed signing (CA) cert.  First the private key (there are many examples like this in the docs, online, etc including, pretty much verbatim, the man page):

        certtool  --generate-privkey  --password $pword --outfile CAkey.pem

Then for the cert:

        certtool  -s --template ca.conf --outfile CAcert.pem --load-privkey CAkey.pem --password $pword     

The template is just:


And what happens:

   Generating a self signed certificate...
   No PIN given.

The cert is never produced.  There's also a note about using "the GNUTLS_PIN or GNUTLS_SO_PIN environment variables".

I have no idea what this  PIN is for, but searching online a bit implies it has to do with PKCS11 hardware, which has nothing to do with what I am doing.  I tried this:

   export GNUTLS_PIN=1234

And presto, no more issue.  However, this worries me a bit.  Will I really have to keep using this PIN with that key/cert?  Or it is totally spurious?

Mark Eriksen

More information about the Gnutls-help mailing list