Am 16. Juni 2019 um 15:53 Uhr +0300 schrieb Aki Tuomi via dovecot:
You will save yourself from world of hurt if you use a dummy ca to sign
you smartcard cert. You can try without generating a CRL.
I see. I've done that now, but the effort required seems to be
disproportionate. I'm just a single person. Requiring a full-blown CA
setup is like cracking breakfast eggs with a car. Now I not only have to
take care about my smartcard, but also of an almighty CA private key
that could be abused to impersonate me and that's not on my smartcard.
Don't get me wrong. Dovecot is great software, but I think that X.509
was most certainly not designed for the needs of small setups, up to a
point where I find working with it just frustrating. OpenSSL's very
unhelpful error messages ("engine error") certainly aren't
suitable to change my mind on the topic.
Anyway, thanks. Now I just need to figure out how to set up my mail
client for TLS client certificates...
--
By specifying long enough validity and next crl day you could just safely discard the ca private key once all is signed. Long like 5 years at least.