Self-signed TLS client certificates
Marvin Gülker
post+dovecot at guelker.eu
Sun Jun 16 15:47:58 EEST 2019
Dear List,
I self-host my e-mail and run Dovecot since ever I do that. Dovecot
version is 2.3.4.1 (f79e8e7e4), running on Debian testing.
Now I am trying to configure Dovecot for client TLS certificates. I have
a self-signed certificate whose private key resides on a smartcard
(Yubikey, to be exact). I wanted Dovecot to accept that TLS client
certificate instead of a password. So I searched and found this wiki
page: <https://wiki2.dovecot.org/SSL/DovecotConfiguration#Client_certificate_verification.2Fauthentication>
But that Wiki page says:
> The CA file should contain the certificate(s) followed by the matching
> CRL(s). Note that the CRLs are required to exist.
I have now messed three hours or so with OpenSSL to get a CRL generated
for my self-signed certificate, but I can't get that to work (the
problem appearently being that OpenSSL doesn't play well with private
keys on smartcards). It doesn't make sense anyway, why does one need a
CRL for a self-signed certificate? If the self-signed certificate's key
gets compromised, the CRL does not help at all.
So, here are my questions:
1. Is a CRL really a hard requirement?
2. If not: can I just use the self-signed certificate of my private key
for the ssl_ca setting?
3. If yes: any idea how I can generate a CRL for my smartcard-bound
self-signed certificate?
Marvin
--
Blog: https://mg.guelker.eu
More information about the dovecot
mailing list