Over the past few months, several people have asked me how to accept client certificates on a service. The scenario is something like the following:

  • A web service owner wants to limit access to the service to authorized clients
  • authorized clients identify themselves using a certificate
  • the certificate may or may not be issued by a trusted root
  • there may be lots and lots of client certificates
  • clients and servers use WS-* compliant stack

This discussion was happening enough that I thought it beneficial to have a quick sample to point to. Here’s my approach to the scenario:

The trick is to check the certificate thumbprint in ServiceAuthorizationManager on the Service. This allows the service to trust a large number of certificates from lots of different issuers. You just lookup the certificate in your store (DB, Azure storage, etc.).

This isn’t the only way to tackle the problem, but I think it gets the job done.