Add support for the flag --issuer-password-file

The new flag allows to pass a file with the password used to decrypt
the key used in RA mode.

commands/app.go

@@ -22,13 +22,17 @@ var AppCommand = cli.Command{
 	Name:   "start",
 	Action: appAction,
 	UsageText: `**step-ca** <config>
-	[**--password-file**=<file>]
-	[**--resolver**=<addr>]`,
+[**--password-file**=<file>] [**--issuer-password-file**=<file>] [**--resolver**=<addr>]`,
 	Flags: []cli.Flag{
 		cli.StringFlag{
 			Name: "password-file",
 			Usage: `path to the <file> containing the password to decrypt the
 intermediate private key.`,
+		},
+		cli.StringFlag{
+			Name: "issuer-password-file",
+			Usage: `path to the <file> containing the password to decrypt the
+certificate issuer private key used in the RA mode.`,
 		},
 		cli.StringFlag{
 			Name:  "resolver",
@@ -40,6 +44,7 @@ intermediate private key.`,
 // AppAction is the action used when the top command runs.
 func appAction(ctx *cli.Context) error {
 	passFile := ctx.String("password-file")
+	issuerPassFile := ctx.String("issuer-password-file")
 	resolver := ctx.String("resolver")
 
 	// If zero cmd line args show help, if >1 cmd line args show error.
@@ -64,6 +69,14 @@ func appAction(ctx *cli.Context) error {
 		password = bytes.TrimRightFunc(password, unicode.IsSpace)
 	}
 
+	var issuerPassword []byte
+	if issuerPassFile != "" {
+		if issuerPassword, err = ioutil.ReadFile(issuerPassFile); err != nil {
+			fatal(errors.Wrapf(err, "error reading %s", issuerPassFile))
+		}
+		issuerPassword = bytes.TrimRightFunc(issuerPassword, unicode.IsSpace)
+	}
+
 	// replace resolver if requested
 	if resolver != "" {
 		net.DefaultResolver.PreferGo = true
@@ -72,7 +85,10 @@ func appAction(ctx *cli.Context) error {
 		}
 	}
 
-	srv, err := ca.New(config, ca.WithConfigFile(configFile), ca.WithPassword(password))
+	srv, err := ca.New(config,
+		ca.WithConfigFile(configFile),
+		ca.WithPassword(password),
+		ca.WithIssuerPassword(issuerPassword))
 	if err != nil {
 		fatal(err)
 	}