similar to: Self-signed TLS client certificates

<!doctype html> <html> <head> <meta charset="UTF-8"> </head> <body> <div> <br> </div> <blockquote type="cite"> <div> On 16 June 2019 15:47 Marvin Gülker via dovecot < <a href="mailto:dovecot@dovecot.org">dovecot@dovecot.org</a>> wrote: </div>

Am 16. Juni 2019 um 15:53 Uhr +0300 schrieb Aki Tuomi via dovecot: > You will save yourself from world of hurt if you use a dummy ca to sign > you smartcard cert. You can try without generating a CRL. I see. I've done that now, but the effort required seems to be disproportionate. I'm just a single person. Requiring a full-blown CA setup is like cracking breakfast eggs with a

Unfortunately this does not work. Example: Yes, when i give it a few Days, the client will retrieve the actual crl faster. But the auth still works. I have tried it. I revoked an cert. Installed a new win10 client and joined the domain. After login with the revoked p12 cert on a yubikey, i can see he queries the CDP and still allows the login. With certutil and a cert in DER format, i tried

Hi, I have a smartcard which is revoked in the Certificate Revocation List (CRL) but I can still login. Seams like the CRL check is not performed. Any known bug around this? Server setup: - Samba 4.4 on Debian as AD DC - Created domain MYDOM - smb.conf (extract): tls enabled = yes tls crlfile = tls/mycrl.pem (default is to look under private/ folder) Client setup: - Windows 7 machine as

Thanks but I've actually tried that too. Not sure I put it in [kdc] section though, I can try again. Den 21 sep. 2017 20:54 skrev "Andrew Bartlett" <abartlet at samba.org>: > On Thu, 2017-09-21 at 13:01 +0200, Peter L via samba wrote: > > Hi, > > I have a smartcard which is revoked in the Certificate Revocation List > > (CRL) but I can still login. Seams

Hi, already asked in the openssl mailing list, but just in case you already went through this... I need a little help with Certificate Revocation Lists. I did setup client certificates filtering with apache and it seem to work fine so far (used a tutorial on http://www.adone.info/?p=4, down right now). I have a "CA" that is signing a "CA SSL". Then, the "CA SSL" is

Hi I'm trying to use dovecot with client certificates. We produce our certificates with our on CA and we do NOT use certificate revocation lists. So I put "ssl_require_crl = no" into 10-ssl.conf. I did not find a solution neither in the wiki nor somewhere else, so I finally started to read the source. My impression is that openssl will always try to use CRLs. If

Confusing. Github says that is open. Ok. My mistake. The question remains why the Windows clients allow login for an expired certificate despite a correctly loaded CRL. What is the purpose of specifying the CRL in smb.conf? It seems to me that the smartcard login is not really reliable. Then my users still have to log in with password. For now, as long as 4.19 is not yet released. Hans

Thanks for the note. I had never seen anything in the postfix and apache documentation that the CRLs could be intermingled with the CRTs in the CRT file. The documentation for those programs suggests putting the CRLs in a separate file (e.g. apache SSLCARevocationFile) or doesn't talk about putting CRLs in with the certs (e.g. postfix smtpd_tls_cert_file). If it works to put them all in one

Why not /etc/dovecot/private? That's where I put my dovecot certs. Dovecot's needs are a bit different from other software, and so it is unclear whether the files won't be unique to it. For example, I haven't seen the following before I read it on the Dovecot wiki: "The CA file should contain the certificate(s) followed by the matching CRL(s). Note that the CRLs are required

On Fri, 2016-06-17 at 15:56 +0100, Michael H wrote: > On 17/06/16 15:46, James B. Byrne wrote: > > > > We operate a private CA for our domain and have since 2005. We > > maintain a public CRL strictly in accordance with our CPS and have our > > own OID assigned. Our CPS and CRL together with our active, expired > > and revoked certificate inventory is

Hello, As far as I can read in the Dovecot SSL configuration wiki page, each CA cert must be followed by the related CA CRL in the client certificate verification context ("ssl_ca_file" setting). In my company we do have our own PKI and as soon as Client certificate is compromised we do revoke it and update the related CA's CRL. Does that mean that I have to issue a new

I found an old bugzilla report for this behavior: https://bugzilla.samba.org/show_bug.cgi?id=9612 According to the statements in it, there was a patch already in version 4.16 and in heimdal 8 last year? Which option must be in the krb5.conf? I have tried kdc_pkinit_revoke and pkinit_revoke. Both have no effect. Am 19.07.2023 um 14:27 schrieb Hans Schulze via samba: > Unfortunately this

On 17.06.2016 22:39, ????????? ???????? wrote: >> yes and no, but faking a valid OCSP response that says good instead of >> revoked is also possible ... > > Could you please provide any proof for that statement? If it were true > the whole PKI infrastructure should probably be thrown out of the > window. ) question back: is the SHA2 discussion a real security impact or

On Thu, June 16, 2016 13:53, Walter H. wrote: > On 15.06.2016 16:17, Warren Young wrote: >> but it also affects the other public CAs: you can???t get a >> publicly-trusted cert for a machine without a publicly-recognized >> and -visible domain name. For that, you still need to use >> self-signed certs or certs signed by a private CA. >> > A private CA is the

On Mon, 21 Sep 2015, Edgar Pettijohn wrote: > doveconf -n? doveconf -n|grep ssl should suffice: ssl = required ssl_ca = </usr/local/share/certs/ca-root-nss.crt ssl_cert = </path/to/my/file.pem ssl_key = </path/to/my/file.pem ssl_require_crl = no I'm using "ssl_ca = </usr/local/share/certs/ca-root-nss.crt" as a temporary workaround, even though this is not what

On 2015/2/16 16:28, Jochen Bern wrote: > On 02/16/2015 04:23 PM, Reindl Harald wrote: >>> "The CA file should contain the certificate(s) followed by the >>> matching CRL(s). Note that the CRLs are required to exist. For a >>> multi-level CA place the certificates in this order: >>> >>> Issuing CA cert >>> Issuing CA CRL

On 20/07/2023 09:37, Hans Schulze via samba wrote: > I found an old bugzilla report for this behavior: > > https://bugzilla.samba.org/show_bug.cgi?id=9612 > > According to the statements in it, there was a patch already in version > 4.16 and in heimdal 8 last year? Which option must be in the krb5.conf? Sorry, but I read it slightly differently, there was a patch available,

On 17.06.2016 19:57, ????????? ???????? wrote: >>> Then OCSP stapling is the way to go but it could be a real PITA to >>> setup for the first time and may not be supported by older browsers >>> anyway. >>> >> not really, because the same server tells the client that the SSL >> certificate is good, as the SSL certificate itself; >> these must

On Sat, June 18, 2016 7:52 am, Always Learning wrote: > > On Fri, 2016-06-17 at 15:56 +0100, Michael H wrote: > >> On 17/06/16 15:46, James B. Byrne wrote: > >> > >> > We operate a private CA for our domain and have since 2005. We >> > maintain a public CRL strictly in accordance with our CPS and have our >> > own OID assigned. Our CPS and