Cannot import a tested p12 TLS client certificate
Without client certificate configuration, the user can retrieve its emails on the dovecot IMAPs server using a password.
When I try to authenticate the user with an S/MIME client certificate, the dovecot server reports that: ```dovecot: imap-login: Login aborted: Connection closed (client didn't send a cert) (client_ssl_cert_missing)```
Here is the configuration: 1. On the client side: I've imported into thunderbird: - the self-signed CA certificate - the user's S/MIME client certificate which is fine: ```
- pk12util -l user@example.com.p12
Enter password for PKCS12 file: Certificate(has private key):
Data:
Version: 3 (0x2)
Serial Number:
00:c3:10:d5:01:d1:9c:3c:4c:26:a7:a9:4d:90:f0:49:
03:a8:f3:71:d6
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "O=Example,ST=Yvelines,C=FR"
Validity:
Not Before: Mon Feb 23 14:26:26 2026
Not After : Thu Feb 21 14:26:26 2036
Subject: "E=user@example.com,CN=user@example.com,O=Example,ST=Yvel
ines,C=FR"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
c7:f9:af:0a:53:72:a9:de:f0:db:bb:ad:86:90:15:f1:
...
Exponent: 65537 (0x10001)
Signed Extensions:
Name: Certificate Basic Constraints
Data: Is not a CA.
Name: Certificate Key Usage
Usages: Digital Signature
Non-Repudiation
Key Encipherment
Name: Extended Key Usage
E-Mail Protection Certificate
Name: Certificate Subject Key ID
Data:
68:5f:60:6d:8b:c8:0c:28:e3:d9:49:ca:bd:c7:25:a0:
24:4c:2c:40
Name: Certificate Authority Key Identifier
Key ID:
00:eb:69:5d:78:80:7f:1b:7f:e3:2b:fa:15:c3:9b:e6:
68:98:fa:f6
Name: Certificate Subject Alt Name
RFC822 Name: "user@example.com"
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Signature:
71:1b:e4:78:b0:21:f7:20:78:50:80:87:c8:71:a2:9c:
...
Fingerprint (SHA-256):
7F:8D:00:DF:04:02:39:90:11:B2:7D:5F:D3:EE:A7:2D:EF:58:B3:A9:4B:79:ED:D5:FE:2A:70:74:06:33:ED:31
Fingerprint (SHA1):
4E:7C:3B:31:58:32:8A:C3:42:26:CB:D3:DB:54:95:C5:C1:06:19:14
Key(shrouded):
Encryption algorithm: PKCS #5 Password Based Encryption v2
Encryption:
KDF: PKCS #5 Password Based Key Derive Function v2
Parameters:
Salt:
f2:73:28:5b:0b:6c:36:ec:1f:ca:1d:19:b3:77:87:7e
Iteration Count: 2048 (0x800)
KDF algorithm: HMAC SHA-256
Cipher: AES-256-CBC
Args:
04:10:be:da:bb:10:d3:94:e0:82:b3:2b:c2:ad:39:b5:
3b:4e
``` I've setup the account to - use its certificate - use a TLS certificate as an authentication method. There is no S/MIME certificate option.
2. On the dovecot (2.4.1) server side: The server is configured to require client certificates for all IMAP connection: ``` protocol imap {
ssl_server_ca_file = /etc/ssl/CA_CRL.pem ssl_server_request_client_cert = yes ssl_server_cert_username_field = commonName auth_ssl_require_client_cert=yes auth_ssl_username_from_cert = yes
} ```
Does that mean that I also have to import a TLS client certificate? If so, what format should it (.p12, .crt...) be?
Modified by jean-christophe manciot
All Replies (3)
As an answer to my own question, yes, now that I see the whole picture: - S/MIME client certificates are used only to sign and encrypt emails - TLS client certificates are used only to authenticate users
However, when I try to import a p12 TLS client certificate, I get "The PKCS #12 operation failed for unknown reasons". Although, it seems to be fine: ``` $ pk12util -l user\@example.com.p12 Enter password for PKCS12 file: Certificate:
Data:
Version: 3 (0x2)
Serial Number:
02:76:d3:5e:3d:a4:b3:aa:f8:a0:2e:82:1e:7f:4d:8f:
3f:5e:f6:75
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "E=user@example.com,CN=user@example.com,O
=Example,ST=Yvelines,C=FR"
Validity:
Not Before: Mon Feb 23 17:13:46 2026
Not After : Thu Feb 21 17:13:46 2036
Subject: "E=user@example.com,CN=user@example.com,
O=Example,ST=Yvelines,C=FR"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
ae:ed:69:56:cf:42:e3:9f:c0:50:43:62:68:c6:69:82:
...
Exponent: 65537 (0x10001)
Signed Extensions:
Name: Certificate Subject Alt Name
DNS name: "user@example.com"
Name: Certificate Key Usage
Critical: True
Usages: Digital Signature
Non-Repudiation
Key Encipherment
Name: Extended Key Usage
TLS Web Client Authentication Certificate
E-Mail Protection Certificate
Name: Certificate Subject Key ID
Data:
7c:10:03:f4:b7:9d:9c:95:bc:20:30:29:4b:51:4f:11:
fd:bc:5a:3e
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Signature:
6a:12:0e:1e:d6:1a:01:35:b1:65:a9:9d:87:5f:d3:27:
...
Fingerprint (SHA-256):
78:D4:02:51:5A:B9:1E:EC:70:BB:79:FC:C9:82:EC:F4:3A:0B:B5:25:5A:CF:A1:EA:E3:F9:3F:80:F1:11:08:95
Fingerprint (SHA1):
81:54:C4:7B:2F:44:39:94:36:C8:FD:19:3A:11:F0:06:D4:6F:C7:EE
Friendly Name: user@example.com
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
79:9f:7f:af:44:3f:e7:35:b0:74:be:f3:02:7c:fb:3c:
90:77:55:10
Signature Algorithm: PKCS #1 SHA-512 With RSA Encryption
Issuer: "O=Example,ST=Yvelines,C=FR"
Validity:
Not Before: Mon Feb 23 14:12:29 2026
Not After : Thu Feb 21 14:12:29 2036
Subject: "O=Example,ST=Yvelines,C=FR"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
ba:f8:f1:2f:e0:36:4f:c5:08:d1:34:eb:2b:2e:8c:82:
...
Exponent: 65537 (0x10001)
Signed Extensions:
Name: Certificate Subject Key ID
Data:
00:eb:69:5d:78:80:7f:1b:7f:e3:2b:fa:15:c3:9b:e6:
68:98:fa:f6
Name: Certificate Authority Key Identifier
Key ID:
00:eb:69:5d:78:80:7f:1b:7f:e3:2b:fa:15:c3:9b:e6:
68:98:fa:f6
Name: Certificate Basic Constraints
Critical: True
Data: Is a CA with no maximum path length.
Name: Certificate Key Usage
Critical: True
Usages: Digital Signature
Certificate Signing
CRL Signing
Signature Algorithm: PKCS #1 SHA-512 With RSA Encryption
Signature:
51:dc:a6:f2:55:24:12:83:84:d6:2b:1e:15:ba:a7:36:
...
Fingerprint (SHA-256):
6C:27:A1:0E:DB:8C:69:B4:39:C7:B7:0F:D5:EF:8F:7A:13:6E:39:B1:CE:55:86:EB:4F:59:14:5E:5D:8A:25:E4
Fingerprint (SHA1):
DC:A5:74:81:B7:40:C2:70:E6:0E:A1:41:FD:D2:BD:2E:96:13:EF:FC
Key(shrouded):
Friendly Name: user@example.com
Encryption algorithm: PKCS #5 Password Based Encryption v2
Encryption:
KDF: PKCS #5 Password Based Key Derive Function v2
Parameters:
Salt:
1c:56:ad:36:09:64:6f:df:e2:c6:6c:d0:48:58:59:00
Iteration Count: 20000 (0x4e20)
KDF algorithm: HMAC SHA-256
Cipher: AES-256-CBC
Args:
04:10:67:41:e3:12:8a:5d:2d:e7:74:ac:33:e5:f7:c4:
ef:dc
```
In the previous post, I implied that both S/MIME and TLS client certificates can co-exist into thunderbird, because I tried to import the TLS certificate **after** I successfully imported the S/MIME certificate. Anyhow, if I delete the S/MIME certificate and import the TLS one, I get the same error message.
Also, trying to verify that the private key matches the certificate: ``` openssl x509 -noout -modulus -in user\@example.com.p12 | openssl sha512 Enter pass phrase for PKCS12 import pass phrase: SHA2-512(stdin)= 71dee3cbcbf576634b78662c0eee76ab3895a96f64c41f8a8ccd623304b550939c7ef3dd25f209e6685b7101e41c96dd7700efd69dc6dfc6bdeea533b96dbb51
openssl rsa -noout -modulus -in user\@example.com_key.pem | openssl sha512 Enter pass phrase for .tls/user@example.com_key.pem: SHA2-512(stdin)= 71dee3cbcbf576634b78662c0eee76ab3895a96f64c41f8a8ccd623304b550939c7ef3dd25f209e6685b7101e41c96dd7700efd69dc6dfc6bdeea533b96dbb51 ```
Modified by jean-christophe manciot
You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.