S/mime certificate not found

thomask · December 4, 2020, 12:17pm

Used Zammad version: 3.6
Used Zammad installation source: Package
Operating system: Debian 9
Browser + version: Firefox 83.0

Expected behavior:

We have imported different user s/mime certificates. Signed Emails from these specific users should be marked as “signed”, because the appropriate certificated has been added to the certificated store in Zammad beforehand.

Actual behavior:

This is actually not working with certificates from one group of users. These group of users are using a self singed certificate:

"security": { "type": "S/MIME", "sign": { "success": false, "comment": "Unable to find certificate for verification" }

Other users for example are using certificates from Sectigo, which works fine.

Steps to reproduce the behavior:

The difference between the self singed certificates and the ones from Sectigo is the following.

The self signed certificates looks like this:

Certificate:
  Data:
      Version: 3 (0x2)
      Serial Number:
         68:2c:b2:03:11:01:12:00:80:a2
Signature Algorithm: sha1WithRSAEncryption
    Issuer: DC=com, DC=example, CN=CompanyIssuingCA
    Validity
        Not Before: Apr  3 06:32:30 2019 GMT
        Not After : Apr  2 06:32:30 2021 GMT
    Subject: CN=Doe, John
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
            Public-Key: (2048 bit)

      X509v3 Subject Alternative Name: 
           email:John.Doe@example.com

The public one from Sectigo looks like this:

Certificate:
Data:
    Version: 3 (0x2)
    Serial Number:
        2b:44:76:1f:c2:65:72:36:5d
Signature Algorithm: sha256WithRSAEncryption
    Issuer: C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Client Authentication and Secure Email CA
    Validity
        Not Before: Oct 17 00:00:00 2019 GMT
        Not After : Oct 16 23:59:59 2022 GMT
    Subject: emailAddress=j.doe@example.com
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
            Public-Key: (2048 bit)

        X509v3 Subject Alternative Name: 
            email:j.doe@example.com

The main difference is that the self signed certificate has a certificate subject of :
Subject: CN=Doe, John

The Sectigo has a certificate subject of:
Subject: emailAddress=j.doe@example.com

Both certificates have a “Subject Alternative Name” of:

email:John.Doe@example.com
or
email:j.doe@example.com

Does Zammad only looks for the certificate subject and ignores the “Subject Alternative Name”? Is this the reason why the self signed certificate can not be found for the user?

Thanks,
Thomas

thomask · December 5, 2020, 4:59pm

I found out that the users with the self-signed certificates have created 2 different public keys with different key usage each. Both of these public keys were included in the attached smime.p7s file but I imported only the first one, as I was not ware, that there can be more than one public key within a p7s file.
After having both keys added everything works as it should.

Best regards,
Thomas

system · April 4, 2021, 4:59pm

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.