Provide method to create PKCS12 with encrypted Private Key within a script

[ChrisSamo632]

Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

The CLI's step certificate p12 allows for creation of a PKCS12 file using a Certificate and Key pair (e.g. from step certificate create). The current command accepts a --password-file to specify the password to be used to encrypt the created PKCS12 file but there is no equivalent flag to provide the password needed to decrypt (and subsequently encrypt within the PKCS12 file) the Private Key.

Instead, the step certificate p12 command relies upon a TTY input to specify the Private Key password.

Why is this needed?

In an effort to allow better automation via scripts, e.g. in Docker containers, it would be preferable to allow the Private Key password to be provided without TTY input (this also cannot be simulated using Docker's tty: true or bash heredoc piping - the former simply stops the container and requires input that can't be provided, the latter complains that no TTY is available to request the password input).

[ChrisSamo632]

As a possible workaround, users can:

• start the smallstep/step-cli Docker Image with the root user
• install OpenSSL
• switch to the step user
• generate the Cert and Key files using step
• convert to PKCS12 using OpenSSL

apk add --no-cache openssl
su - step

step certificate create "$${cert}" "$${CERT_FILE}" "$${KEY_FILE}" \
  --profile leaf --san "$${cert}" --san localhost --san 127.0.0.1 --bundle \
  --ca "$${STEPPATH}/certs/intermediate_ca.crt" --ca-key "$${STEPPATH}/secrets/intermediate_ca_key" --ca-password-file "$${STEPPATH}/secrets/password" \
  --password-file "$${PASSWORD_FILE}" --force

openssl pkcs12 -export -out "$${P12_FILE}" -inkey "$${KEY_FILE}" -in "$${CERT_FILE}" -certfile "$${STEPPATH}/certs/intermediate_ca.crt" -passin "pass:$${KEY_PASSWORD}" -passout "file:$${PASSWORD_FILE}"