[sr #108206] certtool --generate-request error handling

[Daniel Black]

URL:
  <http://savannah.gnu.org/support/?108206>

                 Summary: certtool --generate-request error handling
                 Project: GnuTLS
            Submitted by: danblack
            Submitted on: Thu 13 Dec 2012 06:43:36 AM GMT
                Category: None
                Priority: 5 - Normal
                Severity: 3 - Normal
                  Status: None
                 Privacy: Public
             Assigned to: None
        Originator Email: 
             Open/Closed: Open
         Discussion Lock: Any
        Operating System: None

    _______________________________________________________

Details:

I did the following two commands recently to get a certificate request of a
CA.

$ certtool --bits 2432 --generate-privkey --outfile key.pem
** Note: Please use the --sec-param instead of --bits
Generating a 2432 bit RSA private key...

$ certtool --generate-request --infile key.pem  --outfile request.pem
Generating a PKCS #10 certificate request...
Generating a 2432 bit RSA private key...
....

To a not-so-often user of certtool the mistake is --infile should of been
--load-privkey. While if I'd been astute and noticed the second generation, or
read the manual this would of been obvious. As a result I got the CA to issue
a certificate without actually having the private key anywhere.

As --infile isn't valid with --generate-request can some warning show up when
a generating a certificate request without the private key being saved
anywhere?

I'm sure there's other invalid and dangerous combinations here too.

cheers.

Daniel
failed certtool user :-)




    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/support/?108206>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/