Does IIS do the SSL certificate check or do I have to verify it?

Question

I have a IIS set up to only accept client connections with a SSL certificate. I have a WCF service running on IIS. I have a Certification Authority in the servers trusted CAs. Now, when a client connects to the service, does IIS validate that the client certificate was issued by one of my trusted CAs? Or do I have to do the validation in my WCF service?

Also if I want the service to only accept connections from one particular CA (not all of my trusted CAs, just one) , would I have to do the verification in the service code?

Answer 1

If you configured IIS to demand mutual HTTPS (SSL with client certificates) the IIS / http.sys is responsible for validating the certificate and client certificate must be either in trusted people store or it must be issued by trusted CA. The certificate is validated during security handshake for establishing SSL connection. When IIS is used to host WCF service this validation is done outside of WCF (in case of self hosting you can use custom certificate validation).

If you want to restrict access to the service to only limited subset of clients (with certificates issued by just single CA) you should move this requirement from authentication (validating certificate) to authorization = custom AuthorizationPolicy in your WCF service where you will validate that certificate was issued by correct CA = the client is authorized to call your service.

Trusted issuers can be also configured on system level with netsh - check sslctlidentifier and sslctlstorename. This configuration will be global for the whole port (web site) so if you have multiple web applications or services with different requirements hosted on the same port this will not be an option for you.

Answer 2

Yes, IIS validates client certificate for mutual authentication, you don't have to check it in your web service code.
Check this article, it will be more clear.