I am trying to automate some of the key generation and request operations with certtool (gnutls 3.2.9).
Normally omitting the --password from command line makes certtool prompt the user for a password, which is perfect in my shell scripts. --- # certtool --generate-privkey --rsa --pkcs8 --outfile example.com-privkey.pk8 Generating a 2432 bit RSA private key... Enter password: --- It seems that when generating a CSR from an encrypted key, this does not happen. --- #certtool --generate-request --load-privkey example.com-privkey.pk8 \ --template example.com.cfg --outfile example.com-pubkey.csr Generating a PKCS #10 certificate request... importing --load-privkey: example.com-privkey.pk8: Decryption has failed. --- Is it possible to make certtool prompt for the password to decrypt the pkcs8 file? Or is it possible to have certtool reading the password from a file descriptor or a named pipe? If not, it presents some problems. I can either add the password=secret to template.cfg or use the --password command line. Both seems very insecure. Third option is to store the plaintext key as example.com-privkey.pem, which can't be a good alternative either. ~A _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
