Self-signed TLS client certificates

Marvin Gülker post+dovecot at guelker.eu
Sun Jun 16 15:47:58 EEST 2019


Dear List,

I self-host my e-mail and run Dovecot since ever I do that. Dovecot
version is 2.3.4.1 (f79e8e7e4), running on Debian testing.

Now I am trying to configure Dovecot for client TLS certificates. I have
a self-signed certificate whose private key resides on a smartcard
(Yubikey, to be exact). I wanted Dovecot to accept that TLS client
certificate instead of a password. So I searched and found this wiki
page: <https://wiki2.dovecot.org/SSL/DovecotConfiguration#Client_certificate_verification.2Fauthentication>

But that Wiki page says:

> The CA file should contain the certificate(s) followed by the matching
> CRL(s). Note that the CRLs are required to exist.

I have now messed three hours or so with OpenSSL to get a CRL generated
for my self-signed certificate, but I can't get that to work (the
problem appearently being that OpenSSL doesn't play well with private
keys on smartcards). It doesn't make sense anyway, why does one need a
CRL for a self-signed certificate? If the self-signed certificate's key
gets compromised, the CRL does not help at all.

So, here are my questions:

1. Is a CRL really a hard requirement?
2. If not: can I just use the self-signed certificate of my private key
   for the ssl_ca setting?
3. If yes: any idea how I can generate a CRL for my smartcard-bound
   self-signed certificate?

Marvin

-- 
Blog: https://mg.guelker.eu


More information about the dovecot mailing list