The keys should not be given passwords due to limitations in the upstream scripts. If you want to secure them at rest, you should take a different approach where they - can still be available to the signing scripts as a directory of unencrypted keys. The - sample certificate subject can be replaced with your own information or simply left - as-is.
+ can still be available to the signing scripts as a directory of unencrypted keys. + +The sample certificate subject should be replaced with your own information.
To generate keys for crosshatch (you should use unique keys per device variant):