Improve certutil --pass documentation about empty password

Improve the documentation of parameter --pass of elasticsearch-certutil Co-Authored-By: Diego Cardozo Sandrim <diegocsandrim@users.noreply.github.com> Co-Authored-By: Vigneash Sundar <vikene@users.noreply.github.com> Backport of: elastic#40137
tvernum · Apr 8, 2019 · 4799e72 · 4799e72
1 parent 0edfbfa
commit 4799e72
Showing 1 changed file with 7 additions and 4 deletions.
diff --git a/docs/reference/commands/certutil.asciidoc b/docs/reference/commands/certutil.asciidoc
@@ -177,14 +177,17 @@ with the `ca` parameter.
 
 `--pass <password>`:: Specifies the password for the generated private keys.
 +
-Keys stored in PKCS#12 format are always password protected.
+Keys stored in PKCS#12 format are always password protected, however,
+this password may be _blank_. If you want to specify a blank password
+without a prompt, use `--pass ""` (with no `=`) on the command line.
 +
 Keys stored in PEM format are password protected only if the
 `--pass` parameter is specified. If you do not supply an argument for the
 `--pass` parameter, you are prompted for a password.
-+
-If you want to specify a _blank_ password (without prompting), use 
-`--pass ""` (with no `=`).
+Encrypted PEM files do not support blank passwords (if you do not
+wish to password-protect your PEM keys, then do not specify
+`--pass`).
+
 
 `--pem`:: Generates certificates and keys in PEM format instead of PKCS#12. This
 parameter cannot be used with the `csr` parameter.