OCSP client certificate validation

Question

For a home automation project I have created an API (written in ASP.NET so hosted in IIS) and written my own Android app to communicate with this API. To prevent people from accessing specific endpoints in this API, I want to protect the endpoints that are not supposed to be public. Some will remain public for my statistics dashboard.

I have a client PKI certificate, which I purchased from an official and government recognized organisation, for the app and it has an OCSP responder URL included. When the app accesses the protected endpoints this certificate is included. Now the last step would be for the server to verify the validity of this certificate on incoming requests and I came up with the following possible scenarios:

• Certificate is valid
• Certificate's CA hierarchy is invalid (I am a programmer so my apologies if I butchered that sentence)
• Certificate is expired (I suppose the OCSP responder will return that)
• No certificate included

Can IIS solve this issue? I have only really found OCSP stapling which is not client certificate related. Basically the TLS-handshake should be cancelled so the API can not even be reached.

I am using HAProxy to route the requests to the correct server in my network. So if IIS is impossible, would HAProxy be able to do this?

Thanks!

Answer 1

IIS can validate client certificates using OCSP. HAProxy won't as far as I know. Your best bet is to passthrough the client certificate to the IIS backend.

Note that you only use OCSP or Certificate Revocation List (CRL) to check the revocation status of a certificate - nothing else.

Therefore the validation of a certificate will still consist of checking the chain from certificate to a trust-anchor, checking the certificate hasn't expired and checking the certificate is for the correct key usage; regardless of whether OCSP (or CRLs) are used.