10

I have been working on this scenario for a week. I have implemented the code to authenticate client certificate using this link: http://www.asp.net/web-api/overview/security/working-with-ssl-in-web-api.

A few questions are still there:

  1. How can I verify the request certificate is from authorized client only? (I know using private key but how?)
  2. Currently I am using a self-signed SSL and client certificate. From where and how can I get trusted certificate? (I know, from a CA, but what is the actual process for that?)
  3. How can I issue a client certificate to my trusted clients?

I have so many ring answers for the above questions. I need a clean answer for the above questions. I am using ASP.NET 4.5 (webAPI).

Any help will be appreciated.

S.L. Barth
  • 5,486
  • 8
  • 38
  • 47
DSA
  • 211
  • 1
  • 2
  • 4
  • I just created webkey, which might do something similar to what you were trying to do with client certificates. Webkey doesn't require a user to manually manage their keys: https://github.com/webkey-auth/webkey-auth.github.io – B T Apr 05 '16 at 02:09
  • 1
    @BT Actually i implement complete scenario which is live now. will post complete solution once i get time. – DSA Apr 05 '16 at 09:47

1 Answers1

11

Mutual TLS (aka Client Authentication) is a solution to this.

As for issuing certs I wouldn't do that. I would take self-signed certs from the client and pin them directly to principals (users) in some manner. I would have a lookup table indexed by both common name and certificate public key to do that. This makes potential problems like cert revocation (delete the row) and CA compromise (none involved) much easier.

Alternatively you could request CSRs from clients and sign them using a CA you trust (either a third party or your own in-house CA if your org has the expertise and resources to protect it properly).

Here is a good high-level description from The Code Project and they have .NET sample code demonstrating it:

Mutual SSL authentication or certificate based mutual authentication refers to two parties authenticating each other through verifying the provided digital certificate so that both parties are assured of the others' identity. In technology terms, it refers to a client (web browser or client application) authenticating themselves to a server (website or server application) and that server also authenticating itself to the client through verifying the public key certificate/digital certificate issued by the trusted Certificate Authorities (CAs). Because authentication relies on digital certificates, certification authorities such as Verisign or Microsoft Certificate Server are an important part of the mutual authentication process. From a high-level point of view, the process of authenticating and establishing an encrypted channel using certificate-based mutual authentication involves the following steps:

  1. A client requests access to a protected resource.
  2. The server presents its certificate to the client.
  3. The client verifies the server’s certificate.
  4. If successful, the client sends its certificate to the server.
  5. The server verifies the client’s credentials.
  6. If successful, the server grants access to the protected resource requested by the client.

SOURCE: http://www.codeproject.com/Articles/326574/An-Introduction-to-Mutual-SSL-Authentication

Alain O'Dea
  • 1,615
  • 9
  • 13
  • Alain- Thanks for you help! One silly question, is AuthenticateAsServer method from SslStream will internally validate the client certificate with server certificate? Bit confuse on this, please clear if possible. – DSA Sep 25 '15 at 10:16
  • If **clientAuthenticationRequired** is **true** then the SSL/TLS protocol handling code inside .NET will perform that check internally at that point in the handshake state machine. Which class implements that is largely immaterial to your code. – Alain O'Dea Sep 25 '15 at 14:42
  • Yes. It will happen automatically if you require client auth. – Neil Smithline Sep 25 '15 at 18:15