Dear List,
I self-host my e-mail and run Dovecot since ever I do that. Dovecot version is 2.3.4.1 (f79e8e7e4), running on Debian testing.
Now I am trying to configure Dovecot for client TLS certificates. I have a self-signed certificate whose private key resides on a smartcard (Yubikey, to be exact). I wanted Dovecot to accept that TLS client certificate instead of a password. So I searched and found this wiki page: https://wiki2.dovecot.org/SSL/DovecotConfiguration#Client_certificate_verifi...
But that Wiki page says:
The CA file should contain the certificate(s) followed by the matching CRL(s). Note that the CRLs are required to exist.
I have now messed three hours or so with OpenSSL to get a CRL generated for my self-signed certificate, but I can't get that to work (the problem appearently being that OpenSSL doesn't play well with private keys on smartcards). It doesn't make sense anyway, why does one need a CRL for a self-signed certificate? If the self-signed certificate's key gets compromised, the CRL does not help at all.
So, here are my questions:
- Is a CRL really a hard requirement?
- If not: can I just use the self-signed certificate of my private key for the ssl_ca setting?
- If yes: any idea how I can generate a CRL for my smartcard-bound self-signed certificate?
Marvin
-- Blog: https://mg.guelker.eu