On 16 June 2019 20:27 Marvin Gülker via dovecot < dovecot@dovecot.org> wrote:
Am 16. Juni 2019 um 15:53 Uhr +0300 schrieb Aki Tuomi via dovecot:You will save yourself from world of hurt if you use a dummy ca to signyou smartcard cert. You can try without generating a CRL.I see. I've done that now, but the effort required seems to bedisproportionate. I'm just a single person. Requiring a full-blown CAsetup is like cracking breakfast eggs with a car. Now I not only have totake care about my smartcard, but also of an almighty CA private keythat could be abused to impersonate me and that's not on my smartcard.
Don't get me wrong. Dovecot is great software, but I think that X.509was most certainly not designed for the needs of small setups, up to apoint where I find working with it just frustrating. OpenSSL's veryunhelpful error messages ("engine error") certainly aren'tsuitable to change my mind on the topic.
Anyway, thanks. Now I just need to figure out how to set up my mailclient for TLS client certificates...
--Blog: https://mg.guelker.eu
By specifying long enough validity and next crl day you could just safely discard the ca private key once all is signed. Long like 5 years at least.
--- Aki Tuomi
