cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon smallstep

Provide method to create PKCS12 with encrypted Private Key within a script

Open ChrisSamo632 opened this issue 1 year ago • 3 comments

Hello!

  • Vote on this issue by adding a 👍 reaction
  • If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

The CLI's step certificate p12 allows for creation of a PKCS12 file using a Certificate and Key pair (e.g. from step certificate create). The current command accepts a --password-file to specify the password to be used to encrypt the created PKCS12 file but there is no equivalent flag to provide the password needed to decrypt (and subsequently encrypt within the PKCS12 file) the Private Key.

Instead, the step certificate p12 command relies upon a TTY input to specify the Private Key password.

Why is this needed?

In an effort to allow better automation via scripts, e.g. in Docker containers, it would be preferable to allow the Private Key password to be provided without TTY input (this also cannot be simulated using Docker's tty: true or bash heredoc piping - the former simply stops the container and requires input that can't be provided, the latter complains that no TTY is available to request the password input).

ChrisSamo632 avatar Oct 06 '24 07:10 ChrisSamo632

As a possible workaround, users can:

  • start the smallstep/step-cli Docker Image with the root user
  • install OpenSSL
  • switch to the step user
  • generate the Cert and Key files using step
  • convert to PKCS12 using OpenSSL
apk add --no-cache openssl
su - step

step certificate create "$${cert}" "$${CERT_FILE}" "$${KEY_FILE}" \
  --profile leaf --san "$${cert}" --san localhost --san 127.0.0.1 --bundle \
  --ca "$${STEPPATH}/certs/intermediate_ca.crt" --ca-key "$${STEPPATH}/secrets/intermediate_ca_key" --ca-password-file "$${STEPPATH}/secrets/password" \
  --password-file "$${PASSWORD_FILE}" --force

openssl pkcs12 -export -out "$${P12_FILE}" -inkey "$${KEY_FILE}" -in "$${CERT_FILE}" -certfile "$${STEPPATH}/certs/intermediate_ca.crt" -passin "pass:$${KEY_PASSWORD}" -passout "file:$${PASSWORD_FILE}"

ChrisSamo632 avatar Oct 06 '24 08:10 ChrisSamo632

@ChrisSamo632 @hslatman Hey, is this issue still on ? if so can I implement it ??

aliamerj avatar Jun 21 '25 05:06 aliamerj

@ChrisSamo632 @hslatman Hey, is this issue still on ? if so can I implement it ??

@aliamerj I haven't tried with newer versions, but it would be a handy one to fix

ChrisSamo632 avatar Jun 21 '25 05:06 ChrisSamo632