Client Certificates and Web API

Question

I have an Web Forms site that will be calling my IIS hosted Web API service. Both the site and the Web API are hosted on the same physical machine. We also have a x509 certificate on this same machine.

I would like the Web API to use this certificate to authenticate requests. So that it will only accept requests from clients that "use" this certificate.

When I say "use" I was thinking to do either:

1. to use Request.ClientCertificates.Add(myCert); and then in the API - retrieve the certificate from the request and validate it.

2.Or if this is too fiddly to set up (see question below) - to simply sign or encrypt a token (a single word) in a request header. And then verify or decrypt the token in the API service.

My question is - for option 1.

I am unclear about client certs. When I am developing the client and the service, do I need to set up SSL, load the certificate into IIS and debug in IIS to test/debug this? Or can I test the end to end call just using WebDev?

The reason I ask this - when I tried to do a very simple example in WebDev, I added the certificate to the collection client side, and yet the certificate was not present in the request when the Web API received the request.

Thanks alot.

Answer 1

I am unclear about client certs. When I am developing the client and the service, do I need to set up SSL, load the certificate into IIS and debug in IIS to test/debug this? Or can I test the end to end call just using WebDev?

In order to use client certificates you must be connecting over SSL (mutual authentication). So, it would mean setting up the web server with a server certificate and then generating a client certificate to be attached to the client request.

IIS and IIS express both support SSL, but the Visual Studio development web server does not.