[gnutls-help] certtool cannot use private key it created to create signed cert

MK mk at cognitivedissonance.ca
Mon Jun 27 19:04:33 CEST 2022


I'm trying to create a signed cert using methodology from the EXAMPLES
section of the man page.

> certtool --generate-privkey --outfile key.pem --rsa
Generating a 3072 bit RSA private key...

The key appears to be fine, and `certtool -k --infile key.pem` works.
I have tried this using a password encrypted key as well.

But this then fails:

> certtool --generate-certificate --load-privkey key.pem --outfile cert.pem \
       --load-ca-certificate ca_cert.pem \
       --load-ca-privkey ca_privkey.pem --template tmp.txt
Generating a signed certificate...
error loading file at --load-privkey: key.pem: Decryption has failed.

That command in the EXAMPLES section does not use `--template`,
but the version under FILES does. 

BUT, if I remove the `--template` and answer the questions in a way
which creates an identical cert to the template spec, it works.

Using the same template and key with `certtool -s --load-privkey
key.pem  --template tmp.txt` does work to create a self-signed cert.

`tmp.txt` looks like this:

country = CA
expiration_days = 30
cn = myServer

Is there some subtely I'm missing?  The fact that the error is
"Decryption has failed" with an unencrypted key is perplexing.
This is certtool 3.7.6 on Fedora linux.

Sincerely, Mark Eriksen


More information about the Gnutls-help mailing list