For a home automation project I have created an API (written in ASP.NET so hosted in IIS) and written my own Android app to communicate with this API. To prevent people from accessing specific endpoints in this API, I want to protect the endpoints that are not supposed to be public. Some will remain public for my statistics dashboard.
I have a client PKI certificate, which I purchased from an official and government recognized organisation, for the app and it has an OCSP responder URL included. When the app accesses the protected endpoints this certificate is included. Now the last step would be for the server to verify the validity of this certificate on incoming requests and I came up with the following possible scenarios:
- Certificate is valid
- Certificate's CA hierarchy is invalid (I am a programmer so my apologies if I butchered that sentence)
- Certificate is expired (I suppose the OCSP responder will return that)
- No certificate included
Can IIS solve this issue? I have only really found OCSP stapling which is not client certificate related. Basically the TLS-handshake should be cancelled so the API can not even be reached.
I am using HAProxy to route the requests to the correct server in my network. So if IIS is impossible, would HAProxy be able to do this?
Thanks!