It is possible to use the client certificate for two purposes at once: proving that the connecting client is a valid one, and selecting the database user to be used for the connection.
For this, you set the authentication method to cert in the hostssl line:
hostssl all all 0.0.0.0/0 cert
As you can see, the clientcert=1 option used with hostssl to require client certificates is no longer required, being implied by the cert method itself.
When using the cert authentication method, a valid client certificate is required, and the cn (short for, common name) attribute of the certificate will be compared to the requested database username. The login will be allowed only if they match.
It is possible to use a User Name Map to map the common names in the certificates to database usernames by specifying the map option:
hostssl all all 0.0.0.0/0 cert map=x509cnmap
Here, x509cnmap is the name that we have arbitrarily chosen for our mapping. More details on User Name Maps are provided in the next recipe, Mapping external usernames to database roles.