>>>>> David A Parker <dpar...@utica.edu> writes: >>>>> On 07/27/2011 11:55 AM, Ivan Shmakov wrote:
[…] >> While I don't know what may cause this behavior, I'd try to use >> GnuTLS' certtool(1) to generate the request, in the hope that >> it's unlikely that both OpenSSL and GnuTLS would've been broken >> in the same way. >> $ openssl --generate-request --load-privkey=server.key --outfile=server.csr s/openssl/certtool/. > Thanks. It turns out the key file in question is an encrypted key > (not a plain RSA key as I thought). However, it was created with no > password specified, and apparently OpenSSL doesn't stop you from > doing this, but it can't read the encrypted key later if you chose > not to set a password. A quick example: > # openssl genrsa 4096 | openssl pkcs8 -topk8 -out test.key […] Unfortunately, while it seems that certtool(1) allows an empty password, the DES-CBC encryption schema is apparently unsupported: $ certtool -8 --generate-request --load-privkey test.key --outfile test.csr Generating a PKCS #10 certificate request... Enter password: |<1>| PKCS encryption schema OID '1.2.840.113549.1.5.3' is unsupported. certtool: importing --load-privkey: /tmp/test.key: The cipher type is unsupported. $ Also, I've tried to specify an empty password to openssl(1) with both -passin pass: and -passin file:/dev/null, but to no avail. I see no solution other than generating a new private key with -nocrypt, like: $ openssl genrsa 4096 | openssl pkcs8 -nocrypt -topk8 -out test.key > And now you're stuck. It just keeps asking for a password, and even > ^C won't break out of this. You have to enter a junk password that's > more than 4 characters, and that will force it to fail and abort. > I think this behavior is very odd. Indeed. -- FSF associate member #7257 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/86y5zjkumc....@gray.siamics.net