We have a webapi hosted on azure, we need to enable TLS Mutual Authentication.
My question is, how do I restrict the calls to only allow requests coming from one (or set of) certificates that I know the caller will be sending. I can read some properties from HttpContext.Connection.GetClientCertificateAsync();
Should I just match these properties or is there a better way to make sure calls are only handled with certificates known to our API.
Thanks
Once you enable the client certificate authentication on your Web App in Azure App Service, the service accepts all client certificates by default. You can restrict the certificates by writing some custom code in Application_AuthenticateRequest method in global.asax file or by creating a new HTTP Module as described in https://msdn.microsoft.com/en-us/magazine/dn201748.aspx (assuming this is an ASP.NET application)
Inside the AuthenticateRequest, you can put code similar to IsValidClientCertificate() method as described in the article https://learn.microsoft.com/en-in/azure/app-service/app-service-web-configure-tls-mutual-auth which shows you various ways to check the client certificate that your Web Api got. Based on your requirement, you can customize this function.
Hope this helps....
It is not possible to limit the number of accepted certificates in such a way that it gives the user a limited choice of client certificates as it is with IIS. I've filed a suggestion for this to Microsoft.
