The title says it all.
There are certainly ways to do hosting specific tricks - but the concept of client certs should be baked into Web API itself. This is important for security scenarios.
From an OM point of view this logically belongs on HttpRequestMessage (in one or the other way).
Comments: ok, its now evidently possible for a WCF service, hosted in IIS or otherwise, to directly work with SSL client certs - i.e. those exchanged in the SSL handshake message. Its been possible for years for use message-layer, ws-security-style, client certs exchanged as opaque bytes in the SSL **application-data** (not handshake) PDUs. be interesting to know which case the sample is doing. Its evidently NOW POSSIBLE to verify **self-signed** SSL-handshake client certs using WCF libraries ... __without__ pre-registering them (or their roots) in the server's cert stores. http://support.microsoft.com/kb/2480671 Of course, there is a HUGE difference in size between an SSL handshake with a client cert (small) when talking to a webapi restful endpoint vs a ws-security-style client authentication message (huge). The reason this sample was interesting was because of this size issue....and it begged the question: had someone figured that one had to have light-weight client cert support (when talking to restful, guarded APIs). If so... SSL handshake were necessary.
There are certainly ways to do hosting specific tricks - but the concept of client certs should be baked into Web API itself. This is important for security scenarios.
From an OM point of view this logically belongs on HttpRequestMessage (in one or the other way).
Comments: ok, its now evidently possible for a WCF service, hosted in IIS or otherwise, to directly work with SSL client certs - i.e. those exchanged in the SSL handshake message. Its been possible for years for use message-layer, ws-security-style, client certs exchanged as opaque bytes in the SSL **application-data** (not handshake) PDUs. be interesting to know which case the sample is doing. Its evidently NOW POSSIBLE to verify **self-signed** SSL-handshake client certs using WCF libraries ... __without__ pre-registering them (or their roots) in the server's cert stores. http://support.microsoft.com/kb/2480671 Of course, there is a HUGE difference in size between an SSL handshake with a client cert (small) when talking to a webapi restful endpoint vs a ws-security-style client authentication message (huge). The reason this sample was interesting was because of this size issue....and it begged the question: had someone figured that one had to have light-weight client cert support (when talking to restful, guarded APIs). If so... SSL handshake were necessary.