sslhappy-ca | dovecot-clientcert | thunderbird | apache-clientcert | firefox
assuming you’ve got dovecot and your CA up and running already
Not using CN as username: we still require the username to be submitted. We could otherwise use x500UniqueIdentifier or emailAddress for virtual hosting. SAN entries do not count in thise use-case and with Dovecot.
It’s worth noting that postfix-sasl cannot deal with client certificates. This is why we simply disable it for SASL to at least have it for IMAP.
postfix/sasl/smtpd[1502]: Anonymous TLS connection established from IP-ADDRESS: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256 postfix/sasl/smtpd[1502]: warning: IP-ADDRESS: SASL PLAIN authentication failed: Client didn't present valid SSL certificate
Dovecot wants the CRLs to be concatenated with (after) the Root cert.
add external as auth method
vi /etc/dovecot/dovecot.conf
auth_mechanisms = plain login external
protocol !smtp {
auth_ssl_require_client_cert = yes
auth_ssl_username_from_cert = no
}
...
# client cert
ssl_ca = </etc/ssl/ORG-ROOT-CA/ca.crt
ssl_require_crl = yes
ssl_verify_client_cert = yes
#ssl_cert_username_field =
# x500UniqueIdentifier
# emailAddress
import the client cert into you client and you will see e.g. thunderbird asking which client cert it shall use when trying to connect.
in some extreme paranoid use-case, you might also want to switch to your own CA for the server cert
ssl_cert = </etc/ssl/NETHENCE-ROOT-CA/xc.crt ssl_key = </etc/ssl/NETHENCE-ROOT-CA/xc.key
and you obviously need to import the CA cert into your client for that matter.
while trying to auth with tb/clientcert
dovecot: imap-login: Error: Failed to initialize SSL server context: Can't load SSL certificate (ssl_cert setting): error:1418708B:SSL routines:ssl_do_config:unknown command: section=system_default, cmd=HOME, arg=.: user=<>,
==> simply wrong path to the server cert?
dovecot: imap-login: Error: Failed to initialize SSL server context: Couldn't parse private SSL key (ssl_key setting) (maybe ssl_key_password is wrong?): error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt, error:0906A065:PEM routines:PEM_do_header:bad decrypt: user=<>, rip=62.221.83.44, lip=62.210.110.7, session=<uP2WCZe63LU+3VMs>
==> don’t use the CA key as server key, as it wants a passphrase (it could otherwise have done the trick, unless you do it right and dedicated an offline machine for your CA).
instructions https://wiki.dovecot.org/SSL/DovecotConfiguration#Client_certificate_verification.2Fauthentication
Dovecot and Postfix client certificate authentication https://blog.mortis.eu/blog/2017/06/dovecot-and-postfix-with-client-cert-auth.html
Client certificate verification/authentication https://wiki.dovecot.org/SSL/DovecotConfiguration#Client_certificate_verification.2Fauthentication
passwd + pkix https://blog.mortis.eu/blog/2017/06/dovecot-and-postfix-with-client-cert-auth.html
server capabilities https://serverfault.com/questions/624303/dovecot-certificate-authentication
nsCertType and CRL https://unix.stackexchange.com/questions/348372/dovecot-rejecting-client-certificate
no SAN https://dovecot.org/pipermail/dovecot/2012-March/082158.html