Am 16. Juni 2019 um 15:53 Uhr +0300 schrieb Aki Tuomi via dovecot:
You will save yourself from world of hurt if you use a dummy ca to sign you smartcard cert. You can try without generating a CRL.
I see. I've done that now, but the effort required seems to be disproportionate. I'm just a single person. Requiring a full-blown CA setup is like cracking breakfast eggs with a car. Now I not only have to take care about my smartcard, but also of an almighty CA private key that could be abused to impersonate me and that's not on my smartcard.
Don't get me wrong. Dovecot is great software, but I think that X.509 was most certainly not designed for the needs of small setups, up to a point where I find working with it just frustrating. OpenSSL's very unhelpful error messages ("engine error") certainly aren't suitable to change my mind on the topic.
Anyway, thanks. Now I just need to figure out how to set up my mail client for TLS client certificates...
-- Blog: https://mg.guelker.eu