I'm writing a web service using ASP .Net Web API 2. I'm using client certificates to authenticate the client to the server and I've read pretty much everything I've been able to find about that but I'm still not sure about how it works so I would like someone to confirm my thoughts or tell me I'm wrong.
The client certificate is validated during the TLS handshake and if the client doesn't present a valid certificate with a valid private signature, the certificate isn't sent to the server but the request still is. Is this correct?
I add the client certificate to the request like this:
HttpWebRequest request = (HttpWebRequest)base.GetWebRequest(address);
request.ClientCertificates.Add(certificate);
This Add-method, from what I can ell it just adds the certificate to the certificate collection. Will it also actually sign the request itself with the certificate?
Using client certificates like this, will it give any validation of the request itself? The way I understand it it won't but I would like to have that verified.
Aucun commentaire:
Enregistrer un commentaire