How can I (or, is it possible) to verify that a user certificate belongs to a given user?
For example, in an e-Voting system I want to prohibit that an user A who has a certificate C1 votes for other people.
How can I detect that when someone presents C1 and tries to vote as, say, user B, that this is the wrong combination, and deny him the right to vote?
Is it even possible to do this with certificates, or should I use additionally an username and password to confirm identity?
Use the subject field of the X509 certificate to identify the person. That cannot be forged, given that you fully trust the certificate issuer.
If person B has access to person A's certificate, he/she could certainly vote at his/her place, but you cannot do much at this stage (added a password? Who guarantees that B does not know that as well?).
A severe issue is that in many (if not all) democratic voting systems, vote is secret. By having the user identify him/herself via a certificate and possibly storing identity info in their session, you are failing to honour this basic constraint.
If the application is critical (i.e. a real, regional/national e-Voting system), then: