Showing questions tagged: Bütün sualları göstər

Cannot import a tested p12 TLS client certificate

Without client certificate configuration, the user can retrieve its emails on the dovecot IMAPs server using a password. When I try to authenticate the user with an S/MIM… (read more)

Without client certificate configuration, the user can retrieve its emails on the dovecot IMAPs server using a password.

When I try to authenticate the user with an S/MIME client certificate, the dovecot server reports that: ```dovecot: imap-login: Login aborted: Connection closed (client didn't send a cert) (client_ssl_cert_missing)```

Here is the configuration: 1. On the client side: I've imported into thunderbird: - the self-signed CA certificate - the user's S/MIME client certificate which is fine: ```

  1. pk12util -l user@example.com.p12

Enter password for PKCS12 file: Certificate(has private key): 

   Data:
       Version: 3 (0x2)
       Serial Number:
           00:c3:10:d5:01:d1:9c:3c:4c:26:a7:a9:4d:90:f0:49:
           03:a8:f3:71:d6
       Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
       Issuer: "O=Example,ST=Yvelines,C=FR"
       Validity:
           Not Before: Mon Feb 23 14:26:26 2026
           Not After : Thu Feb 21 14:26:26 2036
       Subject: "E=user@example.com,CN=user@example.com,O=Example,ST=Yvel
           ines,C=FR"
       Subject Public Key Info:
           Public Key Algorithm: PKCS #1 RSA Encryption
           RSA Public Key:
               Modulus:
                   c7:f9:af:0a:53:72:a9:de:f0:db:bb:ad:86:90:15:f1:
                   ...
               Exponent: 65537 (0x10001)
       Signed Extensions:
           Name: Certificate Basic Constraints
           Data: Is not a CA.

           Name: Certificate Key Usage
           Usages: Digital Signature
                   Non-Repudiation
                   Key Encipherment

           Name: Extended Key Usage
               E-Mail Protection Certificate

           Name: Certificate Subject Key ID
           Data:
               68:5f:60:6d:8b:c8:0c:28:e3:d9:49:ca:bd:c7:25:a0:
               24:4c:2c:40

           Name: Certificate Authority Key Identifier
           Key ID:
               00:eb:69:5d:78:80:7f:1b:7f:e3:2b:fa:15:c3:9b:e6:
               68:98:fa:f6

           Name: Certificate Subject Alt Name
           RFC822 Name: "user@example.com"

   Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
   Signature:
       71:1b:e4:78:b0:21:f7:20:78:50:80:87:c8:71:a2:9c:
       ...
   Fingerprint (SHA-256):
       7F:8D:00:DF:04:02:39:90:11:B2:7D:5F:D3:EE:A7:2D:EF:58:B3:A9:4B:79:ED:D5:FE:2A:70:74:06:33:ED:31
   Fingerprint (SHA1):
       4E:7C:3B:31:58:32:8A:C3:42:26:CB:D3:DB:54:95:C5:C1:06:19:14

Key(shrouded): 

   Encryption algorithm: PKCS #5 Password Based Encryption v2 
       Encryption:
           KDF: PKCS #5 Password Based Key Derive Function v2 
               Parameters:
                   Salt:
                       f2:73:28:5b:0b:6c:36:ec:1f:ca:1d:19:b3:77:87:7e
                   Iteration Count: 2048 (0x800)
                   KDF algorithm: HMAC SHA-256
           Cipher: AES-256-CBC
               Args:
                   04:10:be:da:bb:10:d3:94:e0:82:b3:2b:c2:ad:39:b5:
                   3b:4e

``` I've setup the account to - use its certificate - use a TLS certificate as an authentication method. There is no S/MIME certificate option.

2. On the dovecot (2.4.1) server side: The server is configured to require client certificates for all IMAP connection: ``` protocol imap { 

 ssl_server_ca_file = /etc/ssl/CA_CRL.pem
 ssl_server_request_client_cert = yes
 ssl_server_cert_username_field = commonName
 
 auth_ssl_require_client_cert=yes
 auth_ssl_username_from_cert = yes

} ```

Does that mean that I also have to import a TLS client certificate? If so, what format should it (.p12, .crt...) be?

Asked by jean-christophe manciot 2 days ago

Last reply by jean-christophe manciot 1 day ago

PKCS # 12 operation failed for unknown reason when importing an S/MIME client certificate

I successfully imported the self-signed CA certificate into thunderbird. Then I tried to import the p12 S/MIME client certificate and this error message popped up (cf. sc… (read more)

I successfully imported the self-signed CA certificate into thunderbird. Then I tried to import the p12 S/MIME client certificate and this error message popped up (cf. screenshot below).

However, I checked the client certificate and it seems fine:

  1. openssl pkcs12 -in smime-client-certificate.p12 -info -noout

Enter Import Password: MAC: sha256, Iteration 2048 MAC length: 32, salt length: 8 PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256 Certificate bag PKCS7 Data Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256

  1. pk12util -l smime-client-certificate.p12

Enter password for PKCS12 file: Certificate(has private key): 

   Data:
       Version: 3 (0x2)
       Serial Number: 1 (0x1)
       Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
       Issuer: "..."
       Validity:
           Not Before: Thu Feb 19 13:32:18 2026
           Not After : Sun Feb 17 13:32:18 2036
       Subject: "E=user@example.com,CN=user@example.com,
           O=example.com,ST=...,C=..."
       Subject Public Key Info:
           Public Key Algorithm: X9.62 elliptic edwards curve public key
       unknown SPKI algorithm type
       Raw:
           69:58:ee:5d:45:3f:10:d9:bb:8c:a3:b6:a5:c6:16:a6:
           53:78:65:77:73:5d:e0:6f:60:df:2c:32:f3:c2:e2:58
       Signed Extensions:
           Name: Certificate Basic Constraints
           Data: Is not a CA.

           Name: Certificate Key Usage
           Usages: Digital Signature
                   Non-Repudiation
                   Key Encipherment

           Name: Extended Key Usage
               E-Mail Protection Certificate

           Name: Certificate Subject Key ID
           Data:
               99:8a:6d:e4:ec:3a:25:5d:ad:26:a0:36:e1:da:a2:ea:
               bc:88:79:50

           Name: Certificate Authority Key Identifier
           Key ID:
               f5:6c:37:9a:37:d1:81:43:d3:54:3f:b9:33:23:85:c1:
               7e:17:73:88

           Name: Certificate Subject Alt Name
           RFC822 Name: "user@example.com"

   Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
   Signature:
       44:3a:5e:d7:44:51:f1:3c:a3:80:d8:54:f4:9c:d8:0b:
       ...
   Fingerprint (SHA-256):
       88:95:7A:DF:A5:7C:D1:E8:A5:55:A8:18:BD:BD:7D:92:1F:7D:6E:17:26:68:39:84:26:F3:F6:F3:4A:5C:56:90
   Fingerprint (SHA1):
       72:83:D0:13:C9:C9:AD:46:CA:C3:73:66:9E:79:5B:5C:3B:2E:81:47

Key(shrouded): 

   Encryption algorithm: PKCS #5 Password Based Encryption v2 
       Encryption:
           KDF: PKCS #5 Password Based Key Derive Function v2 
               Parameters:
                   Salt:
                       dc:f9:bf:4a:80:e1:7c:4a:b4:f5:52:6b:9b:d5:75:ad
                   Iteration Count: 2048 (0x800)
                   KDF algorithm: HMAC SHA-256
           Cipher: AES-256-CBC
               Args:
                   04:10:0d:a4:96:03:00:2a:d5:a6:fe:d3:6c:a5:d0:12:
                   67:b3

What is going on and how to troubleshoot this issue as there is no logging about this matter into /var/log/syslog?

Environment: - Ubuntu 25.10 - thunderbird 2:1snap1-0ubuntu3

Asked by jean-christophe manciot 6 days ago

Last reply by jean-christophe manciot 5 days ago

How to turn off repeat calendar alerts?

I'd like to receive Thunderbird's calendar alerts once and only once; if I'm not at my computer I don't want to keep hearing them over and over every 10 (?) minutes until… (read more)

I'd like to receive Thunderbird's calendar alerts once and only once; if I'm not at my computer I don't want to keep hearing them over and over every 10 (?) minutes until manually dismissed. I haven't been able to find any setting (including in about:config) that turns on/off the repeat or sets the timeout between repeat alerts. Is it hardcoded? Or is there somewhere it can be changed? Thanks!

Asked by Oberon 6 days ago

Last reply by Oberon 5 days ago