Re: Generate OpenSSL CSR in Squeeze
>>>>> David A Parker <dparker@utica.edu> writes:
>>>>> On 07/27/2011 11:55 AM, Ivan Shmakov wrote:
[…]
>> While I don't know what may cause this behavior, I'd try to use
>> GnuTLS' certtool(1) to generate the request, in the hope that
>> it's unlikely that both OpenSSL and GnuTLS would've been broken
>> in the same way.
>> $ openssl --generate-request --load-privkey=server.key --outfile=server.csr
s/openssl/certtool/.
> Thanks. It turns out the key file in question is an encrypted key
> (not a plain RSA key as I thought). However, it was created with no
> password specified, and apparently OpenSSL doesn't stop you from
> doing this, but it can't read the encrypted key later if you chose
> not to set a password. A quick example:
> # openssl genrsa 4096 | openssl pkcs8 -topk8 -out test.key
[…]
Unfortunately, while it seems that certtool(1) allows an empty
password, the DES-CBC encryption schema is apparently
unsupported:
$ certtool -8 --generate-request --load-privkey test.key --outfile test.csr
Generating a PKCS #10 certificate request...
Enter password: |<1>| PKCS encryption schema OID '1.2.840.113549.1.5.3' is unsupported.
certtool: importing --load-privkey: /tmp/test.key: The cipher type is unsupported.
$
Also, I've tried to specify an empty password to openssl(1) with
both -passin pass: and -passin file:/dev/null, but to no avail.
I see no solution other than generating a new private key with
-nocrypt, like:
$ openssl genrsa 4096 | openssl pkcs8 -nocrypt -topk8 -out test.key
> And now you're stuck. It just keeps asking for a password, and even
> ^C won't break out of this. You have to enter a junk password that's
> more than 4 characters, and that will force it to fail and abort.
> I think this behavior is very odd.
Indeed.
--
FSF associate member #7257
Reply to: