how to setup dovecot to accept client certificates signed with a private CA when the server certificate is signed by a public CA
Arjen de Korte
build+dovecot at de-korte.org
Mon Aug 8 09:45:26 UTC 2022
Citeren jean-christophe manciot <actionmystique at gmail.com>:
> Hi everyone,
>
> I'm trying to setup dovecot to accept only client certificates created
> with a private CA:
> auth_ssl_require_client_cert = yes
> ssl_verify_client_cert = yes
> ssl_ca = </etc/ssl/CA_Certificate_CRL_bundle.pem
This is wrong, you should enter your private CA here. If
'ssl_verify_client_cert' is not set to 'yes', this field should
generally be empty / not configured.
> At the same time, dovecot is setup with an SSL certificate created by
> a public CA (let's encrypt):
> ssl = required
> ssl_cert = </etc/ssl/fullchain.pem
> ssl_key = </etc/ssl/key.pem
>
> When I try to connect to the server with a client (evolution), I get a
> connection error:
> "Client did not present valid SSL certificate" except that it is valid.
>
> As you probably already know, let's encrypt does not create client
> certificates.
> It seems that using a different CA for client certificates and for the
> server certificate is unsupported.
>
> Am I missing something?
More information about the dovecot
mailing list