The title says it all.
There are certainly ways to do hosting specific tricks - but the concept of client certs should be baked into Web API itself. This is important for security scenarios.
From an OM point of view this logically belongs on HttpRequestMessage (in one or the other way).
Comments: SSL uses SSL certs (never heard the term layer 4 certs before - but I guess I know what you mean). WCF does not use SSL (transport level) in the case you describe, but message level crypto.
There are certainly ways to do hosting specific tricks - but the concept of client certs should be baked into Web API itself. This is important for security scenarios.
From an OM point of view this logically belongs on HttpRequestMessage (in one or the other way).
Comments: SSL uses SSL certs (never heard the term layer 4 certs before - but I guess I know what you mean). WCF does not use SSL (transport level) in the case you describe, but message level crypto.