Question

Cannot import a tested p12 TLS client certificate

2 Mbohovái
0 oguereko ko apañuãi
2 Hecha
Mbohovái ipaháva jean-christophe manciot

Ojapo 1 aravo

2026-02-23 08:40

Without client certificate configuration, the user can retrieve its emails on the dovecot IMAPs server using a password.

When I try to authenticate the user with an S/MIME client certificate, the dovecot server reports that: ```dovecot: imap-login: Login aborted: Connection closed (client didn't send a cert) (client_ssl_cert_missing)```

Here is the configuration: 1. On the client side: I've imported into thunderbird: - the self-signed CA certificate - the user's S/MIME client certificate which is fine: ```

pk12util -l user@example.com.p12

Enter password for PKCS12 file: Certificate(has private key):

   Data:
       Version: 3 (0x2)
       Serial Number:
           00:c3:10:d5:01:d1:9c:3c:4c:26:a7:a9:4d:90:f0:49:
           03:a8:f3:71:d6
       Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
       Issuer: "O=Example,ST=Yvelines,C=FR"
       Validity:
           Not Before: Mon Feb 23 14:26:26 2026
           Not After : Thu Feb 21 14:26:26 2036
       Subject: "E=user@example.com,CN=user@example.com,O=Example,ST=Yvel
           ines,C=FR"
       Subject Public Key Info:
           Public Key Algorithm: PKCS #1 RSA Encryption
           RSA Public Key:
               Modulus:
                   c7:f9:af:0a:53:72:a9:de:f0:db:bb:ad:86:90:15:f1:
                   ...
               Exponent: 65537 (0x10001)
       Signed Extensions:
           Name: Certificate Basic Constraints
           Data: Is not a CA.

           Name: Certificate Key Usage
           Usages: Digital Signature
                   Non-Repudiation
                   Key Encipherment

           Name: Extended Key Usage
               E-Mail Protection Certificate

           Name: Certificate Subject Key ID
           Data:
               68:5f:60:6d:8b:c8:0c:28:e3:d9:49:ca:bd:c7:25:a0:
               24:4c:2c:40

           Name: Certificate Authority Key Identifier
           Key ID:
               00:eb:69:5d:78:80:7f:1b:7f:e3:2b:fa:15:c3:9b:e6:
               68:98:fa:f6

           Name: Certificate Subject Alt Name
           RFC822 Name: "user@example.com"

   Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
   Signature:
       71:1b:e4:78:b0:21:f7:20:78:50:80:87:c8:71:a2:9c:
       ...
   Fingerprint (SHA-256):
       7F:8D:00:DF:04:02:39:90:11:B2:7D:5F:D3:EE:A7:2D:EF:58:B3:A9:4B:79:ED:D5:FE:2A:70:74:06:33:ED:31
   Fingerprint (SHA1):
       4E:7C:3B:31:58:32:8A:C3:42:26:CB:D3:DB:54:95:C5:C1:06:19:14

Key(shrouded):

   Encryption algorithm: PKCS #5 Password Based Encryption v2 
       Encryption:
           KDF: PKCS #5 Password Based Key Derive Function v2 
               Parameters:
                   Salt:
                       f2:73:28:5b:0b:6c:36:ec:1f:ca:1d:19:b3:77:87:7e
                   Iteration Count: 2048 (0x800)
                   KDF algorithm: HMAC SHA-256
           Cipher: AES-256-CBC
               Args:
                   04:10:be:da:bb:10:d3:94:e0:82:b3:2b:c2:ad:39:b5:
                   3b:4e

``` I've setup the account to - use its certificate - use a TLS certificate as an authentication method. There is no S/MIME certificate option.

2. On the dovecot (2.4.1) server side: The server is configured to require client certificates for all IMAP connection: ``` protocol imap {

 ssl_server_ca_file = /etc/ssl/CA_CRL.pem
 ssl_server_request_client_cert = yes
 ssl_server_cert_username_field = commonName
 
 auth_ssl_require_client_cert=yes
 auth_ssl_username_from_cert = yes

} ```

Does that mean that I also have to import a TLS client certificate? If so, what format should it (.p12, .crt...) be?

Without client certificate configuration, the user can retrieve its emails on the dovecot IMAPs server using a password. When I try to authenticate the user with an S/MIME client certificate, the dovecot server reports that: ```dovecot: imap-login: Login aborted: Connection closed (client didn't send a cert) (client_ssl_cert_missing)``` Here is the configuration: 1. On the client side: I've imported into thunderbird: - the self-signed CA certificate - the user's S/MIME client certificate which is fine: ``` # pk12util -l user@example.com.p12 Enter password for PKCS12 file: Certificate(has private key): Data: Version: 3 (0x2) Serial Number: 00:c3:10:d5:01:d1:9c:3c:4c:26:a7:a9:4d:90:f0:49: 03:a8:f3:71:d6 Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "O=Example,ST=Yvelines,C=FR" Validity: Not Before: Mon Feb 23 14:26:26 2026 Not After : Thu Feb 21 14:26:26 2036 Subject: "E=user@example.com,CN=user@example.com,O=Example,ST=Yvel ines,C=FR" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: c7:f9:af:0a:53:72:a9:de:f0:db:bb:ad:86:90:15:f1: ... Exponent: 65537 (0x10001) Signed Extensions: Name: Certificate Basic Constraints Data: Is not a CA. Name: Certificate Key Usage Usages: Digital Signature Non-Repudiation Key Encipherment Name: Extended Key Usage E-Mail Protection Certificate Name: Certificate Subject Key ID Data: 68:5f:60:6d:8b:c8:0c:28:e3:d9:49:ca:bd:c7:25:a0: 24:4c:2c:40 Name: Certificate Authority Key Identifier Key ID: 00:eb:69:5d:78:80:7f:1b:7f:e3:2b:fa:15:c3:9b:e6: 68:98:fa:f6 Name: Certificate Subject Alt Name RFC822 Name: "user@example.com" Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Signature: 71:1b:e4:78:b0:21:f7:20:78:50:80:87:c8:71:a2:9c: ... Fingerprint (SHA-256): 7F:8D:00:DF:04:02:39:90:11:B2:7D:5F:D3:EE:A7:2D:EF:58:B3:A9:4B:79:ED:D5:FE:2A:70:74:06:33:ED:31 Fingerprint (SHA1): 4E:7C:3B:31:58:32:8A:C3:42:26:CB:D3:DB:54:95:C5:C1:06:19:14 Key(shrouded): Encryption algorithm: PKCS #5 Password Based Encryption v2 Encryption: KDF: PKCS #5 Password Based Key Derive Function v2 Parameters: Salt: f2:73:28:5b:0b:6c:36:ec:1f:ca:1d:19:b3:77:87:7e Iteration Count: 2048 (0x800) KDF algorithm: HMAC SHA-256 Cipher: AES-256-CBC Args: 04:10:be:da:bb:10:d3:94:e0:82:b3:2b:c2:ad:39:b5: 3b:4e ``` I've setup the account to - use its certificate - use a TLS certificate as an authentication method. There is no S/MIME certificate option. 2. On the dovecot (2.4.1) server side: The server is configured to require client certificates for all IMAP connection: ``` protocol imap { ssl_server_ca_file = /etc/ssl/CA_CRL.pem ssl_server_request_client_cert = yes ssl_server_cert_username_field = commonName auth_ssl_require_client_cert=yes auth_ssl_username_from_cert = yes } ``` Does that mean that I also have to import a TLS client certificate? If so, what format should it (.p12, .crt...) be?

Moambuepyre 2026 Jasykõi 24 06:20:45 -0800 jean-christophe manciot rupive

Answer 1 · 2026-02-23 16:40:00.206987+00:00

jean-christophe manciot Porandu apoha

Ko árape 05:50

As an answer to my own question, yes, now that I see the whole picture: - S/MIME client certificates are used only to sign and encrypt emails - TLS client certificates are used only to authenticate users

However, when I try to import a p12 TLS client certificate, I get "The PKCS #12 operation failed for unknown reasons". Although, it seems to be fine: ``` $ pk12util -l user\@example.com.p12 Enter password for PKCS12 file: Certificate:

   Data:
       Version: 3 (0x2)
       Serial Number:
           02:76:d3:5e:3d:a4:b3:aa:f8:a0:2e:82:1e:7f:4d:8f:
           3f:5e:f6:75
       Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
       Issuer: "E=user@example.com,CN=user@example.com,O
           =Example,ST=Yvelines,C=FR"
       Validity:
           Not Before: Mon Feb 23 17:13:46 2026
           Not After : Thu Feb 21 17:13:46 2036
       Subject: "E=user@example.com,CN=user@example.com,
           O=Example,ST=Yvelines,C=FR"
       Subject Public Key Info:
           Public Key Algorithm: PKCS #1 RSA Encryption
           RSA Public Key:
               Modulus:
                   ae:ed:69:56:cf:42:e3:9f:c0:50:43:62:68:c6:69:82:
                       ...
               Exponent: 65537 (0x10001)
       Signed Extensions:
           Name: Certificate Subject Alt Name
           DNS name: "user@example.com"

           Name: Certificate Key Usage
           Critical: True
           Usages: Digital Signature
                   Non-Repudiation
                   Key Encipherment

           Name: Extended Key Usage
               TLS Web Client Authentication Certificate
               E-Mail Protection Certificate

           Name: Certificate Subject Key ID
           Data:
               7c:10:03:f4:b7:9d:9c:95:bc:20:30:29:4b:51:4f:11:
               fd:bc:5a:3e

   Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
   Signature:
       6a:12:0e:1e:d6:1a:01:35:b1:65:a9:9d:87:5f:d3:27:
       ...
   Fingerprint (SHA-256):
       78:D4:02:51:5A:B9:1E:EC:70:BB:79:FC:C9:82:EC:F4:3A:0B:B5:25:5A:CF:A1:EA:E3:F9:3F:80:F1:11:08:95
   Fingerprint (SHA1):
       81:54:C4:7B:2F:44:39:94:36:C8:FD:19:3A:11:F0:06:D4:6F:C7:EE

   Friendly Name: user@example.com

Certificate:

   Data:
       Version: 3 (0x2)
       Serial Number:
           79:9f:7f:af:44:3f:e7:35:b0:74:be:f3:02:7c:fb:3c:
           90:77:55:10
       Signature Algorithm: PKCS #1 SHA-512 With RSA Encryption
       Issuer: "O=Example,ST=Yvelines,C=FR"
       Validity:
           Not Before: Mon Feb 23 14:12:29 2026
           Not After : Thu Feb 21 14:12:29 2036
       Subject: "O=Example,ST=Yvelines,C=FR"
       Subject Public Key Info:
           Public Key Algorithm: PKCS #1 RSA Encryption
           RSA Public Key:
               Modulus:
                   ba:f8:f1:2f:e0:36:4f:c5:08:d1:34:eb:2b:2e:8c:82:
                       ...
               Exponent: 65537 (0x10001)
       Signed Extensions:
           Name: Certificate Subject Key ID
           Data:
               00:eb:69:5d:78:80:7f:1b:7f:e3:2b:fa:15:c3:9b:e6:
               68:98:fa:f6

           Name: Certificate Authority Key Identifier
           Key ID:
               00:eb:69:5d:78:80:7f:1b:7f:e3:2b:fa:15:c3:9b:e6:
               68:98:fa:f6

           Name: Certificate Basic Constraints
           Critical: True
           Data: Is a CA with no maximum path length.

           Name: Certificate Key Usage
           Critical: True
           Usages: Digital Signature
                   Certificate Signing
                   CRL Signing

   Signature Algorithm: PKCS #1 SHA-512 With RSA Encryption
   Signature:
       51:dc:a6:f2:55:24:12:83:84:d6:2b:1e:15:ba:a7:36:
       ...
   Fingerprint (SHA-256):
       6C:27:A1:0E:DB:8C:69:B4:39:C7:B7:0F:D5:EF:8F:7A:13:6E:39:B1:CE:55:86:EB:4F:59:14:5E:5D:8A:25:E4
   Fingerprint (SHA1):
       DC:A5:74:81:B7:40:C2:70:E6:0E:A1:41:FD:D2:BD:2E:96:13:EF:FC

Key(shrouded):

   Friendly Name: user@example.com

   Encryption algorithm: PKCS #5 Password Based Encryption v2 
       Encryption:
           KDF: PKCS #5 Password Based Key Derive Function v2 
               Parameters:
                   Salt:
                       1c:56:ad:36:09:64:6f:df:e2:c6:6c:d0:48:58:59:00
                   Iteration Count: 20000 (0x4e20)
                   KDF algorithm: HMAC SHA-256
           Cipher: AES-256-CBC
               Args:
                   04:10:67:41:e3:12:8a:5d:2d:e7:74:ac:33:e5:f7:c4:
                   ef:dc

```

As an answer to my own question, yes, now that I see the whole picture: - S/MIME client certificates are used only to sign and encrypt emails - TLS client certificates are used only to authenticate users However, when I try to import a p12 TLS client certificate, I get "The PKCS #12 operation failed for unknown reasons". Although, it seems to be fine: ``` $ pk12util -l user\@example.com.p12 Enter password for PKCS12 file: Certificate: Data: Version: 3 (0x2) Serial Number: 02:76:d3:5e:3d:a4:b3:aa:f8:a0:2e:82:1e:7f:4d:8f: 3f:5e:f6:75 Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "E=user@example.com,CN=user@example.com,O =Example,ST=Yvelines,C=FR" Validity: Not Before: Mon Feb 23 17:13:46 2026 Not After : Thu Feb 21 17:13:46 2036 Subject: "E=user@example.com,CN=user@example.com, O=Example,ST=Yvelines,C=FR" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: ae:ed:69:56:cf:42:e3:9f:c0:50:43:62:68:c6:69:82: ... Exponent: 65537 (0x10001) Signed Extensions: Name: Certificate Subject Alt Name DNS name: "user@example.com" Name: Certificate Key Usage Critical: True Usages: Digital Signature Non-Repudiation Key Encipherment Name: Extended Key Usage TLS Web Client Authentication Certificate E-Mail Protection Certificate Name: Certificate Subject Key ID Data: 7c:10:03:f4:b7:9d:9c:95:bc:20:30:29:4b:51:4f:11: fd:bc:5a:3e Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Signature: 6a:12:0e:1e:d6:1a:01:35:b1:65:a9:9d:87:5f:d3:27: ... Fingerprint (SHA-256): 78:D4:02:51:5A:B9:1E:EC:70:BB:79:FC:C9:82:EC:F4:3A:0B:B5:25:5A:CF:A1:EA:E3:F9:3F:80:F1:11:08:95 Fingerprint (SHA1): 81:54:C4:7B:2F:44:39:94:36:C8:FD:19:3A:11:F0:06:D4:6F:C7:EE Friendly Name: user@example.com Certificate: Data: Version: 3 (0x2) Serial Number: 79:9f:7f:af:44:3f:e7:35:b0:74:be:f3:02:7c:fb:3c: 90:77:55:10 Signature Algorithm: PKCS #1 SHA-512 With RSA Encryption Issuer: "O=Example,ST=Yvelines,C=FR" Validity: Not Before: Mon Feb 23 14:12:29 2026 Not After : Thu Feb 21 14:12:29 2036 Subject: "O=Example,ST=Yvelines,C=FR" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: ba:f8:f1:2f:e0:36:4f:c5:08:d1:34:eb:2b:2e:8c:82: ... Exponent: 65537 (0x10001) Signed Extensions: Name: Certificate Subject Key ID Data: 00:eb:69:5d:78:80:7f:1b:7f:e3:2b:fa:15:c3:9b:e6: 68:98:fa:f6 Name: Certificate Authority Key Identifier Key ID: 00:eb:69:5d:78:80:7f:1b:7f:e3:2b:fa:15:c3:9b:e6: 68:98:fa:f6 Name: Certificate Basic Constraints Critical: True Data: Is a CA with no maximum path length. Name: Certificate Key Usage Critical: True Usages: Digital Signature Certificate Signing CRL Signing Signature Algorithm: PKCS #1 SHA-512 With RSA Encryption Signature: 51:dc:a6:f2:55:24:12:83:84:d6:2b:1e:15:ba:a7:36: ... Fingerprint (SHA-256): 6C:27:A1:0E:DB:8C:69:B4:39:C7:B7:0F:D5:EF:8F:7A:13:6E:39:B1:CE:55:86:EB:4F:59:14:5E:5D:8A:25:E4 Fingerprint (SHA1): DC:A5:74:81:B7:40:C2:70:E6:0E:A1:41:FD:D2:BD:2E:96:13:EF:FC Key(shrouded): Friendly Name: user@example.com Encryption algorithm: PKCS #5 Password Based Encryption v2 Encryption: KDF: PKCS #5 Password Based Key Derive Function v2 Parameters: Salt: 1c:56:ad:36:09:64:6f:df:e2:c6:6c:d0:48:58:59:00 Iteration Count: 20000 (0x4e20) KDF algorithm: HMAC SHA-256 Cipher: AES-256-CBC Args: 04:10:67:41:e3:12:8a:5d:2d:e7:74:ac:33:e5:f7:c4: ef:dc ```

Answer 2 · 2026-02-23 16:40:00.206987+00:00

jean-christophe manciot Porandu apoha

Ko árape 06:20

In the previous post, I implied that both S/MIME and TLS client certificates can co-exist into thunderbird, because I tried to import the TLS certificate **after** I successfully imported the S/MIME certificate. Anyhow, if I delete the S/MIME certificate and import the TLS one, I get the same error message.

Eheka Pytyvõha

Cannot import a tested p12 TLS client certificate

Opaite Mbohovái (2)

Ehecha peteĩteĩva apopyre

Ehecha peteĩteĩva téma

Eikundaha apopyre reheve

Ehechapaite aty peteĩteĩva téma rupive

Eñepytyvõkuaáta

Eheka Pytyvõha

Cannot import a tested p12 TLS client certificate

Opaite Mbohovái (2)