'--csr service' returns encrypted private key with no-prompt option

[tall27]

PROBLEM SUMMARY
if I use '--csr service --no-prompt' flag, I get a private key encrypted.
same command with '--csr local --no-prompt' operates as expected (private key is not encrypted)

STEPS TO REPRODUCE
see problem summary

EXPECTED RESULTS
in both cases with --no-prompt , the private key should not be encrypted.

ACTUAL RESULTS

ENVIRONMENT DETAILS

vcert 5.7.1

COMMENTS/WORKAROUNDS

[luispresuelVenafi]

Hi @tall27

I just tested this on VCert version:

$ vcert --version
vcert version v5.7.1

With no issue:

$ vcert enroll -k redacted-apki-key --cn test.venafi.com -z "redacted\\redacted-cit" --no-prompt --csr local
vCert: 2024/11/19 11:54:19 Warning: --platform not set. Attempting to best-guess platform from connection flags
vCert: 2024/11/19 11:54:20 Successfully connected to Venafi as a Service
vCert: 2024/11/19 11:54:20 Successfully read zone configuration redacted\\redacted-cit
vCert: 2024/11/19 11:54:20 Successfully created request for test.venafi.com
vCert: 2024/11/19 11:54:22 Successfully posted request for test.venafi.com, will pick up by redacted-pickup-id
vCert: 2024/11/19 11:54:23 Successfully retrieved request for redacted-pickup-id
-----BEGIN CERTIFICATE-----
MIIEvDCCA6SgAwIBAgIUE+sF2FQulkHoERrtMMSQKouT0mQwDQYJKoZIhvcNAQEL
BQAweDELMAkGA1UEBhMCVVMxFTATBgNVBAoTDFZlbmFmaSwgSW5jLjERMA8GA1UE
CxMIQnVpbHQtaW4xPzA9BgNVBAMTNkRlZGljYXRlZCAtIFZlbmFmaSBDbG91ZCBC
...
hfscRuI67zS6a4HaEUqvMx7lLeY4eK7w+P/rSE2CDnzgjEQN1j5SurcAS9sZcl1R
Gf4D6JGXmhFrTL2DN+tLMyZgpUYDHC4vZ9bC2ZI8bEvB/EYvfAT5o6sErV3pdLHR
oJpAUgC5JzmBwdd/kawX5yD5nvBIq8wch28mZNBWDHjgGfWKhOUyrh8Ns1cYeS1q
PTq3hA87A94y7BPRG9LE0cP00zrS4CVbylzIEWyV9xHpGEM+ALSeuYKvpyKVHbNA
umYubKGYw5DGHghPhGJ5BQ==
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCaKu5nlyfooYfv
cJvqcbqXcZh2q2GqIuyzd9vFvbhnON0TduYpiH6ynjvxtpuRFKgMrPYh9c1ErTFl
gz2qdqMMmLhmr03N3FIj200emw6nktfcA60f/AsjvhDh6J9mLEXTKYrUnaabE2oO
...
KIB3VSvvCBmmU9fMZv+ofN9HPg7Ykjwy7dkGL2NYJVrWhueJxIrOhgT1v6IaPZE1
3uTiOtOpbzFQkEKHI+wxuNba3Zav+q8BwhAg5kiRAoGAVJ3LdbCmAm/yBSKfAlPF
sQs7z2jteRQwWEt4FZv73d2lQ6BE4h/2J9EzMyomRgAVoixe/QI+aMRbQL4+XaTV
wUtT1Rq5M5jBL0g6HhWyH5zHLXfrmNX9keCWChx5OXsKVsFoalf97EbjD7rZbCQ4
MBFxRFqCAfdrgoNLcp/raOM=
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIEtzCCA5+gAwIBAgIUFsPSXZIz4RsqnbckAUFSNJl4lOQwDQYJKoZIhvcNAQEL
BQAwZjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDFZlbmFmaSwgSW5jLjERMA8GA1UE
CxMIQnVpbHQtaW4xLTArBgNVBAMTJERlZGljYXRlZCAtIFZlbmFmaSBDbG91ZCBC
...
4PIgrN7f86DfraVdSHDG38gTaJ2Hg3NU7M+dMv7x668Aa5BPBH48AWoJYKkdCfCe
BUKA9D8ucYRXWPIZ3HqtdHxbofpJEuy9GuDDycVbiWIYB3Wb99ULG8TaMemL762R
8Woq1OKWu6UyfKexMAgft/YSqoc93QMxWUbOxCeLy3hNp635xT2KL48uET9ppuCK
79Ozn6zprVr30yg=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDvTCCAqWgAwIBAgIUZ9V3kA1cobRGvkQU5s3q8FJpZMAwDQYJKoZIhvcNAQEL
BQAwZjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDFZlbmFmaSwgSW5jLjERMA8GA1UE
CxMIQnVpbHQtaW4xLTArBgNVBAMTJERlZGljYXRlZCAtIFZlbmFmaSBDbG91ZCBC
...
HmzlSYQKH6KNPej4jPXY/i41kpCowCcq/Ppxf8vrwcvBalMt8vWec80fFUGmxTRW
wAe16xu2SAGUZisvdKrWFl6zf1+363E9RsaDCwfKGX6gm4W8dzuiqxxs4XSHCjnB
1zgxlKHIt2BXOhCtJAyq4GlZ4UzU0/RmavEc5rDoKKM4T8dN4W6qFByDywjBOk0f
Eg==
-----END CERTIFICATE-----
PickupID="redacted-pickup-id"

Note private key is not encrypted as expected.

Are you sure the flag is being passed correctly? Sometimes, the bash interpretation system is not helpful when passing values as string with double quotes or single quotes.

• Could you provide a template of how you were executing the command?
• Which platform were you aiming at? (in my case I was using Venafi Control Plane)

In the meantime I'll remove the bug label until we confirm indeed is a bug.

Thank you