When you choose to use Client Certificate as your client credential over SSL, you want to retrieve the x509 Certificate on the server side to do authorization. It is very simple with the latest Web API bits. If you have access to the request message anywhere in the pipeline, such as message handler, action filter or action. you can simply call the extension method shown below. Please be careful that the GetClientCertificate method might return null if the client does not send an valid certificate.
Now getting the client certificate is easy, but how to set it up correctly on self host and web host is not that easy. The following instructions walk you through the process step by step.
Step 1: go to the IIS manager, SSL setting, check require client certificate
Step 2: register a custom message handler and verify that the client certificate is something you expect.
Step 3: register the custom message handler.
Step 4: Write a RequireAdminAttribute
Step 5: Add the RequireAdminAttribute to the action.
Now your GET action can only be accessed with the administrators.
Step 1: Tell the WCF transport, I want to client to send certificate over SSL.
Step 2: Write some client code to pick a certificate to send
Implement the GetClientCertificate to retrieve a certificate programmatically.
Then repeat step 2-5 from the web host section to complete the experience.
Hope this helps.