Avoid trying to create TPM certificates while the issuer certificate has
not been created, yet (in a 2nd step).
To resolve this do not just test for availability of the signing key, which
is created first, but also test for the issuer certifcate, which is created
in a 2nd step when the local CA is created. If either one is missing,
attempt to create the CA.
Resolves: #644
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Pass the CA's private key password via the template file. Remove recently
added old GnuTLS support. Extend man page with a paragraph about short-
comings of certtool that doesn't seem to allow private key password being
passed either as environment variable or template file.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Older versions of GnuTLS need --password on the command line while
newer versions require GNUTLS_PIN to be set to pass the password.
So, this patch accomodates older versions of GnuTLS.
Older version of GnuTLS seem to NOT be able to handle a CA private
key needing a password and a signing key needing a password when
creating the intermediate CA. So this case of 2 passwords will
always fail.
The value of the local CA is not so high that passing passwords on
the command line would be an issue. Later on when using the CA the
password are set via environment variables, so not visible to other
users.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Add support for pkcs11 module environment variables to the config file.
These variables may have the following format:
env:VARNAME=VALUE
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
