I was asked to secure my stateless api endpoint using cert based authentication. I read about the subject, and realized I needed to create a middleware to inspect the request, and then check for the x-ARR-ClientCert header, to check whether the certificate is valid or not, based on some thumbprint. So far, so good.
The problem is that I can't test the middleware, because I don't have idea on how to send such a header. I already have a self signed certificate(.crt) and a key(.key). I tried with postman, but I can't see the x-ARR-ClientCert being sent while debugging on VS2017.
Any Help?
Edit 1
I'm following this tutorial: https://blogs.msdn.microsoft.com/kaevans/2016/04/13/azure-web-app-client-certificate-authentication-with-asp-net-core-2/
I know it's a bit old, but at the end the writer shows the browser asking for a certificate, but I just can't manage for the browser to ask for the certificate.
One thing I forgot to mention here, is that my API is on a local Service Fabric Cluster, so that might be the problem
Edit 2
For Postman, I've followed this tutorial: Postman Tutorial, but had no luck: first I had to turn off ssl check, and then when added the certificate to Postman, the x-ARR-ClientCert header wasn't being sent.
I've also tried curl: > curl --cert cert.crt --key client.key https://localhost/api/values --insecure but still the x-ARR-ClientCert isn't being sent.
I am not sure what you are trying to accomplish...
In a mutual certificate authentication, the browser handles the authentication\certificate exchange, and when the user tries to access an endpoint secured by client certificate, the server tells the client(browser) that it requires a certificate to accept the connection and the browser popup a message to the user asking for a certificate to be used, there is a nice write about it here.
If the plan is to do it for automation, the postman blog has an article on how you setup client certificates for this scenario. The other option is trying to send the certificate using CURL as described here.
Secondly, you are reinventing the wheel, there are already some ready to use implementations in kestrel using HttpsConnectionAdapterOptions.ClientCertificateMode = RequireCertificate and some authorization middlewares here and here.
And finally, make sure that there is no proxy in the middle or that the proxy or gateway is not removing the certificate from the client connection.