[Bug 1015919] Re: certtool never asks for CA-password when signing certificates
TJ
ubuntu at iam.tj
Tue Mar 4 21:23:22 UTC 2014
>From reading the documentation and the source, passwords can only be
applied to PKCS#8 (--pkcs8) and PKCS#12 (--to-p12) encoded files.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnutls26 in Ubuntu.
https://bugs.launchpad.net/bugs/1015919
Title:
certtool never asks for CA-password when signing certificates
Status in “gnutls26” package in Ubuntu:
New
Bug description:
When creating a CA with a password, certtool never again asks for it
when signing new certificates.
Steps to reproduce:
----
[root at host] certtool -v
certtool (GnuTLS) 2.12.14
(...)
----
1. Create a private key for the CA:
----
$ [root at host] certtool --generate-privkey --outfile ca_tls.key --password "secret"
(...)
----
2. Create a self-signed certificate for the CA
----
[root at host] certtool --generate-self-signed --load-privkey ca_tls.key --outfile ca_tls.cert --password "secret"
Generating a self signed certificate...
Please enter the details of the certificate's distinguished name. Just press enter to ignore a field.
(...)
Does the certificate belong to an authority? (y/N): y
Path length constraint (decimal, -1 for no constraint): -1
Is this a TLS web client certificate? (y/N): n
Will the certificate be used for IPsec IKE operations? (y/N):
Is this also a TLS web server certificate? (y/N): n
Enter the e-mail of the subject of the certificate:
Will the certificate be used to sign other certificates? (y/N): y
Will the certificate be used to sign CRLs? (y/N): y
Will the certificate be used to sign code? (y/N): y
Will the certificate be used to sign OCSP requests? (y/N): y
(...)
----
3. Create a key for the server
----
[root at host] certtool --generate-privkey --outfile server_tls.key
----
4. Create a certificate for the server
----
[root at host] certtool --generate-certificate --load-privkey server_tls.key --load-ca-certificate ca_tls.cert --load-ca-privkey ca_tls.key --outfile server_tls.cert
Generating a signed certificate...
Please enter the details of the certificate's distinguished name. Just press enter to ignore a field.
(...)
Does the certificate belong to an authority? (y/N):
Is this a TLS web client certificate? (y/N):
Will the certificate be used for IPsec IKE operations? (y/N):
Is this also a TLS web server certificate? (y/N): y
Enter a dnsName of the subject of the certificate: server
Enter a dnsName of the subject of the certificate: server.com
Enter a dnsName of the subject of the certificate: www.server.com
Enter a dnsName of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N):
Will the certificate be used for encryption (RSA ciphersuites)? (y/N): y
(...)
Is the above information ok? (y/N): y
Signing certificate...
----
The certificate for the server gets created and works fine (e.g.
importing the CA cert in firefox and configuring apache with the
server cert). However, I would expect to be asked for the CA password
(created in step1) when signing the certificate in step 4. This
doesn't happen.
By the way: Why can I even define a password for the CA certificate
in step 2? I would think a password for the CA key should be
sufficient?
Thanks!
ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: gnutls-bin 3.0.11+really2.12.14-5ubuntu3
ProcVersionSignature: Ubuntu 3.2.0-25.40-generic 3.2.18
Uname: Linux 3.2.0-25-generic x86_64
ApportVersion: 2.0.1-0ubuntu8
Architecture: amd64
Date: Thu Jun 21 08:58:21 2012
InstallationMedia: Ubuntu-Server 12.04 LTS "Precise Pangolin" - Release amd64 (20120424.1)
ProcEnviron:
LANGUAGE=en_US:en
TERM=xterm
PATH=(custom, no user)
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: gnutls26
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1015919/+subscriptions
More information about the foundations-bugs
mailing list