- Used Zammad version: 3.6
- Used Zammad installation source: Package
- Operating system: Debian 9
- Browser + version: Firefox 83.0
Expected behavior:
We have imported different user s/mime certificates. Signed Emails from these specific users should be marked as “signed”, because the appropriate certificated has been added to the certificated store in Zammad beforehand.
Actual behavior:
This is actually not working with certificates from one group of users. These group of users are using a self singed certificate:
"security": { "type": "S/MIME", "sign": { "success": false, "comment": "Unable to find certificate for verification" }
Other users for example are using certificates from Sectigo, which works fine.
Steps to reproduce the behavior:
The difference between the self singed certificates and the ones from Sectigo is the following.
The self signed certificates looks like this:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
68:2c:b2:03:11:01:12:00:80:a2
Signature Algorithm: sha1WithRSAEncryption
Issuer: DC=com, DC=example, CN=CompanyIssuingCA
Validity
Not Before: Apr 3 06:32:30 2019 GMT
Not After : Apr 2 06:32:30 2021 GMT
Subject: CN=Doe, John
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
X509v3 Subject Alternative Name:
email:John.Doe@example.com
The public one from Sectigo looks like this:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
2b:44:76:1f:c2:65:72:36:5d
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Client Authentication and Secure Email CA
Validity
Not Before: Oct 17 00:00:00 2019 GMT
Not After : Oct 16 23:59:59 2022 GMT
Subject: emailAddress=j.doe@example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
X509v3 Subject Alternative Name:
email:j.doe@example.com
The main difference is that the self signed certificate has a certificate subject of :
Subject: CN=Doe, John
The Sectigo has a certificate subject of:
Subject: emailAddress=j.doe@example.com
Both certificates have a “Subject Alternative Name” of:
email:John.Doe@example.com
or
email:j.doe@example.com
Does Zammad only looks for the certificate subject and ignores the “Subject Alternative Name”? Is this the reason why the self signed certificate can not be found for the user?
Thanks,
Thomas