Use --password-file for CA/SSH key password in ca token --offline

[labichn]

What would you like to be added

The --password-file flag is an alias for --provisioner-password-file in the ca token command. When ca token is invoked with the --offline flag, that means the intermediate CA key password must be provided interactively.

I request/suggest that the --password-file flag should not be an alias for --provisioner-password-file, but should allow the intermediate CA key password to be passed in so ca token --offline can be used non-interactively.

Why this is needed

The ca token --offline command cannot be scripted as currently implemented.

The desired functionality would allow the following command to be performed without user input.

step ca token foo.example.org \
  --offline \
  --not-after 30m \
  --root $(step path)/certs/root_ca.crt \
  --password-file <(echo -n 'ca/ssh password') \
  --provisioner jwk \
  --provisioner-password-file <(echo -n 'jwk password') \
  --ssh --host
# => Currently, prints: "Cannot use two forms of the same flag: password-file provisioner-password-file"

Removing --password-file <(echo -n 'ca/ssh password') creates the token, once you enter the intermediate CA/SSH key password three times.

This is an instance of the general feature request in #502, but I haven't found any commands that it's not possible to script other than ca token --offline.