cli
cli copied to clipboard
smallstep
"step ca init" with "--root" and "--key": add a way to pass the password to decrypt existing key file
When using "step ca init" with "--root" and "--key", could a functionality be added to pass the password to decrypt the existing key file ? It would not matter how the password would be supplied: the thing what matters to me is to avoid the prompt which asks for the password to decrypt the key file.
I would like to automate this process as much as possible, and therefore entering the password on the command prompt is not an option in my case.
Hey @ottigeda thanks for opening the issue. Wanted to mention another workaround here:
-
step certificate create --profile root-ca ... -
step certificate create --profile intermediate-ca ... -
step ca initdon't pass the--rootflag. - Replace the generated root + intermediate with the root/intermediate that you generated in steps 1+2.
step certificate create does take all the flags that you would need to decrypt password files.
I could make it work, using the mentioned workaround here, thanks a lot for your help! The only thing which did confuse me a moment, is that after this procedure, the fingerprint in "defaults.json" is not the correct one. I believe it would still be a big simplification (at least for my use-case), when I could do this with "step ca init" only.
I came here looking for the same thing; I'm trying to automate the deployment of a containerized step ca server using a pre-existing root certificate and key. The workaround suggested by @dopey isn't just inconvenient; because it leaves the incorrect key fingerprint in defaults.json, it's not possible to automate using the simple environment available in the step ca container image.
Having a --key-password-file=... option -- analogous to the existing --<something>-password-file options -- would make the process much more convenient.
