From mk at cognitivedissonance.ca Mon Jun 27 19:04:33 2022 From: mk at cognitivedissonance.ca (MK) Date: Mon, 27 Jun 2022 13:04:33 -0400 Subject: [gnutls-help] certtool cannot use private key it created to create signed cert Message-ID: <20220627130433.8845e1e1f3f966361d7d686c@cognitivedissonance.ca> Hi! I'm trying to create a signed cert using methodology from the EXAMPLES section of the man page. > certtool --generate-privkey --outfile key.pem --rsa Generating a 3072 bit RSA private key... The key appears to be fine, and `certtool -k --infile key.pem` works. I have tried this using a password encrypted key as well. But this then fails: > certtool --generate-certificate --load-privkey key.pem --outfile cert.pem \ --load-ca-certificate ca_cert.pem \ --load-ca-privkey ca_privkey.pem --template tmp.txt Generating a signed certificate... error loading file at --load-privkey: key.pem: Decryption has failed. That command in the EXAMPLES section does not use `--template`, but the version under FILES does. BUT, if I remove the `--template` and answer the questions in a way which creates an identical cert to the template spec, it works. Using the same template and key with `certtool -s --load-privkey key.pem --template tmp.txt` does work to create a self-signed cert. `tmp.txt` looks like this: country = CA expiration_days = 30 cn = myServer tls_www_server tls_www_client signing_key encryption_key Is there some subtely I'm missing? The fact that the error is "Decryption has failed" with an unencrypted key is perplexing. This is certtool 3.7.6 on Fedora linux. Sincerely, Mark Eriksen --