[gnutls-help] Generating self-signed cert requires PIN??
mk at cognitivedissonance.ca
Tue Feb 4 23:16:09 CET 2020
I've been using certtool intermittently for years and I don't recall ever having this problem trying to generate a self-signed signing (CA) cert. First the private key (there are many examples like this in the docs, online, etc including, pretty much verbatim, the man page):
certtool --generate-privkey --password $pword --outfile CAkey.pem
Then for the cert:
certtool -s --template ca.conf --outfile CAcert.pem --load-privkey CAkey.pem --password $pword
The template is just:
And what happens:
Generating a self signed certificate...
No PIN given.
The cert is never produced. There's also a note about using "the GNUTLS_PIN or GNUTLS_SO_PIN environment variables".
I have no idea what this PIN is for, but searching online a bit implies it has to do with PKCS11 hardware, which has nothing to do with what I am doing. I tried this:
And presto, no more issue. However, this worries me a bit. Will I really have to keep using this PIN with that key/cert? Or it is totally spurious?
More information about the Gnutls-help