An old post. But since I am writing about AuthenticationHandler..this is still relevant!
Another RTM feature I was waiting for is (reasonable) SSL client certificate support in Web API.
Just like all the other authentication methods, you configure client certificate support on the AuthenticationConfiguration object. The following code configures the certificate to chain validation + check for a specific issuer subject name:
Validation modes are:
- Chain validation only
- Peer validation
- Chain validation + issuer certificate thumbprint
- Chain validation + issuer subject name
- Thumbprint only
On the client side, this is the necessary code to include a client certificate with the call: