Generate certificate request with stricter permissions. Reported by Luca Capello.

3 files changed, 5 insertions, 2 deletions

diff --git a/NEWS b/NEWS
index ce1847cbc5..5a7c682c6e 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,9 @@ See the end for copying conditions.
 
 * Version 2.12.0 (unreleased)
 
+** certtool: Generated certificate request with stricter permissions.
+Reported by Luca Capello.
+
 ** libgnutls: Bug fixes in opencdk code. Reported by Vitaly Kruglikov.
 
 ** libgnutls: Corrected windows system_errno() function prototype.
diff --git a/src/certtool-gaa.c b/src/certtool-gaa.c
index 8ae957ace5..a741a64dc3 100644
--- a/src/certtool-gaa.c
+++ b/src/certtool-gaa.c
@@ -1190,7 +1190,7 @@ static int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list)
 	case GAAOPTID_generate_request:
 	OK = 0;
 #line 30 "certtool.gaa"
-{ gaaval->action=ACTION_GENERATE_REQUEST; ;};
+{ gaaval->privkey_op=1; gaaval->action=ACTION_GENERATE_REQUEST; ;};
 
 		return GAA_OK;
 		break;
diff --git a/src/certtool.gaa b/src/certtool.gaa
index e3e9f1c620..7c67af319b 100644
--- a/src/certtool.gaa
+++ b/src/certtool.gaa
@@ -27,7 +27,7 @@ option (u, update-certificate) { $action=ACTION_UPDATE_CERTIFICATE; } "Update a
 
 option (p, generate-privkey) { $privkey_op=1; $action=ACTION_GENERATE_PRIVKEY; } "Generate a private key."
 
-option (q, generate-request) { $action=ACTION_GENERATE_REQUEST; } "Generate a PKCS #10 certificate request."
+option (q, generate-request) { $privkey_op=1; $action=ACTION_GENERATE_REQUEST; } "Generate a PKCS #10 certificate request."
 
 option (e, verify-chain) { $action=ACTION_VERIFY_CHAIN; } "Verify a PEM encoded certificate chain. The last certificate in the chain must be a self signed one."