On Tue, Sep 16, 2008 at 07:23:57AM -0400, micah milano wrote:
> I have purchased a wildcard SSL certificate, and have configured it in
> postfix for both smtp_tls* and smtpd_tls*. It works fine, except postfix
> doesn't let me use it between machines, because:
>
> Sep 15 22:29:46 mx1 postfix/smtpd[1108]: certificate verification failed
> for x.x.x.x[0.0.0.0]: not designated for use as a client certificate
X.509v3 certificates carry "Key Usage" and "Extended Key Usage" extesions,
that specify how the key may be used, for example (selectively extracted
extensions from a "dual-use" client/server cert):
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
It is the "Extended Key Usage" that designates a TLS client or server
certificate. These extensions are set by the issuing CA, they likely
only support wild-card certs as server certs, if you want a client
cert, you use a non-wildcard cert for each client.
Why do you want CA issued client certs for SMTP anyway? They (really
the CA's certification of the client's name) are fairly useless.
The Postfix SMTP server for example does not support access control
by client CN/altName, rather it uses client cert fingerprints, in which
case, you just go self-signed...
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[EMAIL PROTECTED]>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
