Hi all I have already posted this in several (ubuntu-) forums but haven't received any hints so far, maybe somebody on this list can shed some light on this:
When creating a CA with a password, certtool never again asks for the password when signing new certificates. Steps to reproduce (on Ubuntu 12.04, amd64) ---- [root@host] certtool -v certtool (GnuTLS) 2.12.14 (...) ---- 1. Create a private key for the CA: ---- $ [root@host] certtool --generate-privkey --outfile ca_tls.key --password "secret" (...) ---- 2. Create a self-signed certificate for the CA ---- [root@host] certtool --generate-self-signed --load-privkey ca_tls.key --outfile ca_tls.cert --password "secret" Generating a self signed certificate... Please enter the details of the certificate's distinguished name. Just press enter to ignore a field. (...) Does the certificate belong to an authority? (y/N): y Path length constraint (decimal, -1 for no constraint): -1 Is this a TLS web client certificate? (y/N): n Will the certificate be used for IPsec IKE operations? (y/N): Is this also a TLS web server certificate? (y/N): n Enter the e-mail of the subject of the certificate: Will the certificate be used to sign other certificates? (y/N): y Will the certificate be used to sign CRLs? (y/N): y Will the certificate be used to sign code? (y/N): y Will the certificate be used to sign OCSP requests? (y/N): y (...) ---- 3. Create a key for the server ---- [root@host] certtool --generate-privkey --outfile server_tls.key ---- 4. Create a certificate for the server ---- [root@host] certtool --generate-certificate --load-privkey server_tls.key --load-ca-certificate ca_tls.cert --load-ca-privkey ca_tls.key --outfile server_tls.cert Generating a signed certificate... Please enter the details of the certificate's distinguished name. Just press enter to ignore a field. (...) Does the certificate belong to an authority? (y/N): Is this a TLS web client certificate? (y/N): Will the certificate be used for IPsec IKE operations? (y/N): Is this also a TLS web server certificate? (y/N): y Enter a dnsName of the subject of the certificate: server Enter a dnsName of the subject of the certificate: server.com Enter a dnsName of the subject of the certificate: www.server.com Enter a dnsName of the subject of the certificate: Enter the IP address of the subject of the certificate: Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): Will the certificate be used for encryption (RSA ciphersuites)? (y/N): y (...) Is the above information ok? (y/N): y Signing certificate... ---- The certificate for the server gets created and works fine (e.g. importing the CA cert in firefox and configuring apache with the server cert). However, I would expect to be asked for the CA password (created in step1) when signing the certificate in step 4. This doesn't happen. By the way: Why can I even define a password for the CA certificate in step 2? I would think a password for the CA key should be sufficient? Thanks!
_______________________________________________ Help-gnutls mailing list [email protected] https://lists.gnu.org/mailman/listinfo/help-gnutls
