certtool never asks for CA-password when signing certificates
(Detailed description follows below )
I have already posted this in the english ubuntu forum
http://
the german ubuntu forum and filed a bug report:
https:/
As I haven't received any reactions so far, I'm left with three possible conclusions:
* Nobody is using gnutls
* Nobody is maintaining the package
* I am doing something wrong and my mistake is so obvious that nobody wants to tell me :)
I think the first two options are not very likely, so if somebody who is using gnutls to create a password protected CA could shed some light on this issue, I would really appreciate it :) Here's my problem (copy of the posts mentioned above):
When creating a CA with a password, certtool never again asks for it when signing new certificates.
Steps to reproduce:
----
[root@host] certtool -v
certtool (GnuTLS) 2.12.14
(...)
----
1. Create a private key for the CA:
----
$ [root@host] certtool --generate-privkey --outfile ca_tls.key --password "secret"
(...)
----
2. Create a self-signed certificate for the CA
----
[root@host] certtool --generate-
Generating a self signed certificate...
Please enter the details of the certificate's distinguished name. Just press enter to ignore a field.
(...)
Does the certificate belong to an authority? (y/N): y
Path length constraint (decimal, -1 for no constraint): -1
Is this a TLS web client certificate? (y/N): n
Will the certificate be used for IPsec IKE operations? (y/N):
Is this also a TLS web server certificate? (y/N): n
Enter the e-mail of the subject of the certificate:
Will the certificate be used to sign other certificates? (y/N): y
Will the certificate be used to sign CRLs? (y/N): y
Will the certificate be used to sign code? (y/N): y
Will the certificate be used to sign OCSP requests? (y/N): y
(...)
----
3. Create a key for the server
----
[root@host] certtool --generate-privkey --outfile server_tls.key
----
4. Create a certificate for the server
----
[root@host] certtool --generate-
Generating a signed certificate...
Please enter the details of the certificate's distinguished name. Just press enter to ignore a field.
(...)
Does the certificate belong to an authority? (y/N):
Is this a TLS web client certificate? (y/N):
Will the certificate be used for IPsec IKE operations? (y/N):
Is this also a TLS web server certificate? (y/N): y
Enter a dnsName of the subject of the certificate: server
Enter a dnsName of the subject of the certificate: server.com
Enter a dnsName of the subject of the certificate: www.server.com
Enter a dnsName of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N):
Will the certificate be used for encryption (RSA ciphersuites)? (y/N): y
(...)
Is the above information ok? (y/N): y
Signing certificate...
----
The certificate for the server gets created and works fine (e.g. importing the CA cert in firefox and configuring apache with the server cert). However, I would expect to be asked for the CA password (created in step1) when signing the certificate in step 4. This doesn't happen.
By the way: Why can I even define a password for the CA certificate in step 2? I would think a password for the CA key should be sufficient?
Thanks!
Question information
- Language:
- English Edit question
- Status:
- Open
- For:
- Ubuntu gnutls26 Edit question
- Assignee:
- No assignee Edit question
- Last query:
- Last reply:
Can you help with this problem?
Provide an answer of your own, or ask willy123 for more information if necessary.