On Wed, Sep 29, 2021 at 02:33:05PM +0200, Bugz Bunny wrote:
> > Sent: Wednesday, September 29, 2021 at 8:25 AM
> > From: "Bugz Bunny" <[email protected]>
> > To: [email protected]
> > Subject: Client certification verifications fails with not designated for
> > use as a CA certificate
>
> Sorry, forgot to include that I am testing this configuration in CentOS 8
> box, running postfix-3.5.8-1.el8.x86_64. Using swaks to do the client cert
> authentication.
>
Check smtpd_tls_req_ccert to smtpd_tls_ask_ccert. You're authorising
clients by client certificate fingerprint, so you don't need no stinking
CA certificates.
However, if you really must check expiration dates and the like, you
need to make sure that all X.509v3 CA certificates (used to issue TLS
certificates) have appropriate minimal extensions:
basicConstraints = CA:true
keyUsage = digitalSignature, keyCertSign, cRLSign
extendedKeyUsage = serverAuth, clientAuth
--
Viktor.
