Results 1 to 2 of 2

Thread: Certificate based client authentication

  1. #1
    Join Date
    Sep 2011
    Rep Power

    Default Certificate based client authentication

    We would like to configure Zimbra Network Edition to require a client side certificate to authenticate the client to the Zimbra server for both Web Mail and ActiveSync for mobile phones. We followed the instructions in Gautam-Notes - Zimbra :: Wiki and did get it to work using an extra step.

    The notes stated to execute the following command to add our CA certificate as a trusted certificate issuer.

    opt/zimbra/bin/zmcertmgr addcacert <certfile>

    This adds the CA certificate to the JRE keystore file but the Jetty web server does not appear to use that keystore file. We installed the CA certificate in the Jetty keystore file as well.

    # cd /opt/zimbra/jetty-6.1.22.z6/etc
    # /opt/zimbra/jdk1.6.0_26/bin/keytool -importcert -v -keystore keystore -file /opt/pki/crt/ca.crt

    Our reasoning for insisting on client side certificates is that we want to reduce the pounding an Internet exposed web server takes. Without a recognized client side certificate, the server closes the session very early in the SSL handshake.

    We encountered the following issues that prevent us from moving forward:

    - Zimbra requires that certificate based client authentication be performed on a separate port other than 443 AND that "/certauth" be appended to the URL. Although this is doable from a browser, I can't see how to do that on my Android phone with Touchdown. The Touchdown configuration wants a host name, not a URL.

    - After certificate based client authentication completes on port 4443, Zimbra redirects the client to port 443. This defeats the purpose of certificate based client authentication since port 443 must remain exposed to non-authenticated clients. I am sure there is a way to configure Jetty to do this by modifying Jetty configuration files directly but I am not sure how to do it using Zimbra commands.

    Has anyone tried to do what I describe? Any insight would be greatly appreciated.

  2. #2
    Join Date
    Sep 2011
    Rep Power


    Anybody? Our eval time is winding down. Should I post to a different forum?

Similar Threads

  1. [SOLVED] Problem with commercial certificate
    By ppaixao in forum Administrators
    Replies: 3
    Last Post: 06-05-2012, 01:49 PM
  2. Replies: 0
    Last Post: 03-04-2008, 07:42 AM
  3. can't you help me
    By iwan siahaan in forum Administrators
    Replies: 6
    Last Post: 12-17-2007, 05:53 PM
  4. Use HTML Client Based on COS?
    By rwjblue in forum Administrators
    Replies: 2
    Last Post: 01-30-2007, 04:50 AM
  5. Java Client HTTP authentication
    By kcolgan in forum Developers
    Replies: 1
    Last Post: 10-04-2006, 01:58 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts