Dear List,
I self-host my e-mail and run Dovecot since ever I do that. Dovecot
version is 2.3.4.1 (f79e8e7e4), running on Debian testing.
Now I am trying to configure Dovecot for client TLS certificates. I have
a self-signed certificate whose private key resides on a smartcard
(Yubikey, to be exact). I wanted Dovecot to accept that TLS client
certificate instead of a password. So I searched and found this wiki
But that Wiki page says:
The CA file should contain the certificate(s) followed by the matching
CRL(s). Note that the CRLs are required to exist.
I have now messed three hours or so with OpenSSL to get a CRL generated
for my self-signed certificate, but I can't get that to work (the
problem appearently being that OpenSSL doesn't play well with private
keys on smartcards). It doesn't make sense anyway, why does one need a
CRL for a self-signed certificate? If the self-signed certificate's key
gets compromised, the CRL does not help at all.
So, here are my questions:
1. Is a CRL really a hard requirement?
2. If not: can I just use the self-signed certificate of my private key
for the ssl_ca setting?
3. If yes: any idea how I can generate a CRL for my smartcard-bound
self-signed certificate?
Marvin
--
You will save yourself from world of hurt if you use a dummy ca to sign you smartcard cert. You can try without generating a CRL.