Self-signed TLS client certificates

Marvin Gülker post+dovecot at guelker.eu
Sun Jun 16 20:27:07 EEST 2019


Am 16. Juni 2019 um 15:53 Uhr +0300 schrieb Aki Tuomi via dovecot:
>    You will save yourself from world of hurt if you use a dummy ca to sign
>    you smartcard cert. You can try without generating a CRL.

I see. I've done that now, but the effort required seems to be
disproportionate. I'm just a single person. Requiring a full-blown CA
setup is like cracking breakfast eggs with a car. Now I not only have to
take care about my smartcard, but also of an almighty CA private key
that could be abused to impersonate me and that's not on my smartcard.

Don't get me wrong. Dovecot is great software, but I think that X.509
was most certainly not designed for the needs of small setups, up to a
point where I find working with it just frustrating. OpenSSL's very
unhelpful error messages ("engine error") certainly aren't
suitable to change my mind on the topic.

Anyway, thanks. Now I just need to figure out how to set up my mail
client for TLS client certificates...

-- 
Blog: https://mg.guelker.eu


More information about the dovecot mailing list