sslhappy-ca | dovecot-clientcert | thunderbird | apache-clientcert | firefox

assuming you’ve got dovecot and your CA up and running already


Not using CN as username: we still require the username to be submitted. We could otherwise use x500UniqueIdentifier or emailAddress for virtual hosting. SAN entries do not count in thise use-case and with Dovecot.

It’s worth noting that postfix-sasl cannot deal with client certificates. This is why we simply disable it for SASL to at least have it for IMAP.

postfix/sasl/smtpd[1502]: Anonymous TLS connection established from IP-ADDRESS: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256

postfix/sasl/smtpd[1502]: warning: IP-ADDRESS: SASL PLAIN authentication failed: Client didn't present valid SSL certificate


Dovecot wants the CRLs to be concatenated with (after) the Root cert.


add external as auth method

    vi /etc/dovecot/dovecot.conf

    auth_mechanisms = plain login external
protocol !smtp {
    auth_ssl_require_client_cert = yes
        auth_ssl_username_from_cert = no


    # client cert
    ssl_ca = </etc/ssl/ORG-ROOT-CA/ca.crt
    ssl_require_crl = yes
    ssl_verify_client_cert = yes
    #ssl_cert_username_field =
    # x500UniqueIdentifier
    # emailAddress

import the client cert into you client and you will see e.g. thunderbird asking which client cert it shall use when trying to connect.


in some extreme paranoid use-case, you might also want to switch to your own CA for the server cert

ssl_cert = </etc/ssl/NETHENCE-ROOT-CA/xc.crt
ssl_key = </etc/ssl/NETHENCE-ROOT-CA/xc.key

and you obviously need to import the CA cert into your client for that matter.


while trying to auth with tb/clientcert

    dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): error:1418708B:SSL routines:ssl_do_config:unknown command: section=system_default, cmd=HOME, arg=.: user=<>,

==> simply wrong path to the server cert?

    dovecot: imap-login: Error: Failed to initialize SSL server context: Couldn't parse private SSL key (ssl_key setting) (maybe ssl_key_password is wrong?): error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt, error:0906A065:PEM routines:PEM_do_header:bad decrypt: user=<>, rip=, lip=, session=<uP2WCZe63LU+3VMs>

==> don’t use the CA key as server key, as it wants a passphrase (it could otherwise have done the trick, unless you do it right and dedicated an offline machine for your CA).




passwd + pkix

server capabilities

nsCertType and CRL


no SAN