[Dovecot] Dovecot with SSL Client Certification
Timo Sirainen
tss at iki.fi
Mon Aug 3 06:46:19 EEST 2009
On Thu, 2009-07-30 at 20:37 +0300, Evaggelos Balaskas wrote:
> openssl req -new -x509 -nodes -out dovecot.crt -keyout dovecot.key -days
> 1825
I guess this is ok, but to prevent confusion let's say these were
client.crt and client.key instead.
> # Country Name (2 letter code) [AU]:GR
> # State or Province Name (full name) [Some-State]:Athens
> # Locality Name (eg, city) []:Aigaleo
> # Organization Name (eg, company) [Internet Widgits Pty Ltd]:Ebalaskas.Gr
> # Organizational Unit Name (eg, section) []:Mail Apps
> # Common Name (eg, YOUR name) []:myhome
> # Email Address []:ebalaskas at ebalaskas.gr
>
> openssl pkcs12 -export -in dovecot.crt -inkey dovecot.key \
> -name "dovecot Certificate Client" -out dovecot.p12
Again client.crt, client.key here.
> openssl ca -gencrl -keyfile dovecot.key -cert dovecot.crt -out
> dovecot.crl -selfsign
What do you do with the dovecot.crl here? It's a client CRL and unless
you add it to the Dovecot's CRL list it's not necessary. Also the
-selfsign is ignored..
> I've imported the dovecot.p12 to thunderbird certificates and
> dovecot.crt to thunderbird authorities
> (i've tried claws mail too - same errors)
OK.
> ssl_ca_file: /opt/certificates/dovecot/dovecot.crl
This is probably where the problem is. This file must contain the CA
certificate and the CRL, not just the CRL. And initially the CRL should
be empty.
> ssl_cert_file: /opt/certificates/dovecot/dovecot.crt
> ssl_key_file: /opt/certificates/dovecot/dovecot.key
And I hope these dovecot.* files aren't the same you just generated for
the client?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20090802/390cb77d/attachment.bin
More information about the dovecot
mailing list