Dear List, I self-host my e-mail and run Dovecot since ever I do that. Dovecot version is 2.3.4.1 (f79e8e7e4), running on Debian testing. Now I am trying to configure Dovecot for client TLS certificates. I have a self-signed certificate whose private key resides on a smartcard (Yubikey, to be exact). I wanted Dovecot to accept that TLS client certificate instead of a password. So I searched and found this wiki page: <https://wiki2.dovecot.org/SSL/DovecotConfiguration#Client_certificate_verification.2Fauthentication> But that Wiki page says:> The CA file should contain the certificate(s) followed by the matching > CRL(s). Note that the CRLs are required to exist.I have now messed three hours or so with OpenSSL to get a CRL generated for my self-signed certificate, but I can't get that to work (the problem appearently being that OpenSSL doesn't play well with private keys on smartcards). It doesn't make sense anyway, why does one need a CRL for a self-signed certificate? If the self-signed certificate's key gets compromised, the CRL does not help at all. So, here are my questions: 1. Is a CRL really a hard requirement? 2. If not: can I just use the self-signed certificate of my private key for the ssl_ca setting? 3. If yes: any idea how I can generate a CRL for my smartcard-bound self-signed certificate? Marvin -- Blog: https://mg.guelker.eu
<!doctype html> <html> <head> <meta charset="UTF-8"> </head> <body> <div> <br> </div> <blockquote type="cite"> <div> On 16 June 2019 15:47 Marvin Gülker via dovecot < <a href="mailto:dovecot@dovecot.org">dovecot@dovecot.org</a>> wrote: </div> <div> <br> </div> <div> <br> </div> <div> Dear List, </div> <div> <br> </div> <div> I self-host my e-mail and run Dovecot since ever I do that. Dovecot </div> <div> version is 2.3.4.1 (f79e8e7e4), running on Debian testing. </div> <div> <br> </div> <div> Now I am trying to configure Dovecot for client TLS certificates. I have </div> <div> a self-signed certificate whose private key resides on a smartcard </div> <div> (Yubikey, to be exact). I wanted Dovecot to accept that TLS client </div> <div> certificate instead of a password. So I searched and found this wiki </div> <div> page: < <a href="https://wiki2.dovecot.org/SSL/DovecotConfiguration#Client_certificate_verification.2Fauthentication" rel="noopener" target="_blank">https://wiki2.dovecot.org/SSL/DovecotConfiguration#Client_certificate_verification.2Fauthentication</a>> </div> <div> <br> </div> <div> But that Wiki page says: </div> <div> <br> </div> <blockquote type="cite"> <div> The CA file should contain the certificate(s) followed by the matching </div> <div> CRL(s). Note that the CRLs are required to exist. </div> </blockquote> <div> I have now messed three hours or so with OpenSSL to get a CRL generated </div> <div> for my self-signed certificate, but I can't get that to work (the </div> <div> problem appearently being that OpenSSL doesn't play well with private </div> <div> keys on smartcards). It doesn't make sense anyway, why does one need a </div> <div> CRL for a self-signed certificate? If the self-signed certificate's key </div> <div> gets compromised, the CRL does not help at all. </div> <div> <br> </div> <div> So, here are my questions: </div> <div> <br> </div> <div> 1. Is a CRL really a hard requirement? </div> <div> 2. If not: can I just use the self-signed certificate of my private key </div> <div> for the ssl_ca setting? </div> <div> 3. If yes: any idea how I can generate a CRL for my smartcard-bound </div> <div> self-signed certificate? </div> <div> <br> </div> <div> Marvin </div> <div> <br> </div> <div> -- </div> <div> Blog: <a href="https://mg.guelker.eu" rel="noopener" target="_blank">https://mg.guelker.eu</a> </div> </blockquote> <div> <br> </div> <div> You will save yourself from world of hurt if you use a dummy ca to sign you smartcard cert. You can try without generating a CRL. </div> <div> <br> </div> <div> To generate crl you need a functional ca config. </div> <div class="io-ox-signature"> <pre>--- Aki Tuomi</pre> </div> </body> </html>
Am 16. Juni 2019 um 15:53 Uhr +0300 schrieb Aki Tuomi via dovecot:> You will save yourself from world of hurt if you use a dummy ca to sign > you smartcard cert. You can try without generating a CRL.I see. I've done that now, but the effort required seems to be disproportionate. I'm just a single person. Requiring a full-blown CA setup is like cracking breakfast eggs with a car. Now I not only have to take care about my smartcard, but also of an almighty CA private key that could be abused to impersonate me and that's not on my smartcard. Don't get me wrong. Dovecot is great software, but I think that X.509 was most certainly not designed for the needs of small setups, up to a point where I find working with it just frustrating. OpenSSL's very unhelpful error messages ("engine error") certainly aren't suitable to change my mind on the topic. Anyway, thanks. Now I just need to figure out how to set up my mail client for TLS client certificates... -- Blog: https://mg.guelker.eu