I have a web application that uses Forms Auth against a custom user store. We want to extend our Users entity so we can configure a client certificate to use in lieu of username/password.
I have successfully configured IIS to accept client certificates, and I can inspect the client certificate in my security module's AuthorizeRequest event and validate it. The final step is to be able to associate the provided client certificate with a user. For testing purposes, I am currently recording a certificate's subject name in my Users table, and looking up a user that way.
Of course, that isn't adequate for production. What should I store in my Users table from the client certificate so I can look up and log the user in?
You should use the certificate's thumbprint as the key for storing or looking up the certificate, or for looking up the user given the certificate. More info here: http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509certificate2.thumbprint.aspx