I want to setup 2-way SSL (mutual authentication) using X.509 certificates so I followed the guide from here:
Gautam-Notes - Zimbra :: Wiki
except that I already had my own CA and User certificate signed with that CA.
I added the CA via scp to the server and used
to add it to the trusted CAs
/opt/zimbra/bin/zmcertmgr addcacert <certfile>
When I go to https://myserver.mydomain.com:9443/certauth, I can select my user certificate and the 2 way SSL handshake seems to work. However, I end up with an error 403.
I understand it as "the SSL handshake is correct but the user is not found in the database"
However, when I read this I cannot find the problem:
My user certificate has the correct emailAddress field in Subject.
- Now the handshake and the "authentication" of user is complete.
ZCS will do the "authorization" by looking up the user in ZCS's directory.
Currently ZCS uses the EMAILADDRESS field of the subject in the client certificate
as the only lookup key. If the value of EMAILADDRESS matches a Zimbra user's
primary email address or one of the aliases and the account is in a state good for
logging in, the user will be let in.
Is there any extension required for the client certificate to be able to be authenticated by Zimbra?
Thanks for your help. I feel I'm close to the goal but I'm missing the last step