We have server-to-server communications and we intend to use client certificate. Shall we use self-signed certificate or CA issued? Why?
In both cases - using self-signed and CA issued, how do we validate, in the following server code, that the client certificate is valid?
public class CheckClientCertAttribute : AuthorizationFilterAttribute
{
public override void OnAuthorization(HttpActionContext actionContext)
{
var cert = actionContext.Request.GetClientCertificate();
if (cert == null)
{
actionContext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Forbidden)
{
ReasonPhrase = "Client Certificate not present in the HTTP request."
};
return;
}
// How do I make sure the client certificate is valid here?
base.OnAuthorization(actionContext);
}
}
If you can afford to purchase it, you should use a "real" certificate, preferably a corporate certificate issued from your company's own intermediate certificate authority which is in turn signed by a trusted root authority.
The reason you want to do it this way is deployment. If you use a common, trusted root authority, you don't have to go around and install your own root authorities on all of your servers. Not only would that be a pain in the rear, you'd create a pretty good avenue of attack for a hacker, since all other software running on that machine will trust that root authority too.
As for validation, since you are doing it in code, you can validate anything you want. If you want to be very strict, you can validate the serial number (although this creates a bit of a maintenance headache when you have to renew the certificate). Another common way to validate it would be to inspect the subject or the common name fields. If you do it right, you can renew the certificate without needing to reconfigure your application, because the fields you are inspecting remain the same.