Hi,
we plan to use client certificates to authenticate the users of our web application. Therefore we make the root certificate accessible on the web server and configure IIS (unfortunatelywestilluse IIS 6...) to require client certificate. The certificate chain look like:
- {root certificate} - { intermediate certificate A} - {client certificate A1} - {client certificate A2} - ... - { intermediate certificate B} - {client certificate B1} - {client certificate B2} - ... - ...But we can't find an answer to our question who is responsible to validate the client certificate and verify that is valid? In my opinion the IIS does all certificate validation and verification stuff and the ASP.NET WebForm page only needs to check the result:
if (System.Web.HttpContext.Current.Request.ClientCertificate.IsPresent && System.Web.HttpContext.Current.Request.ClientCertificate.IsValid) {// success --> read data from client certificate to authenticate user }else {// errpr --> authencation failed }
Am i right? Or it is necessary to validate the whole stuff within the code behind of the WebForm page too? Any help/advice is appreciated.
Kind regards,
Christian