![](https://static.wixstatic.com/media/0f65e1_7848ee19b1f3462783e1bf1dc95cf25c~mv2.png/v1/fill/w_49,h_28,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/0f65e1_7848ee19b1f3462783e1bf1dc95cf25c~mv2.png)
Certificate-based authentication is the use of a Digital Certificate to identify a user, machine, or device before granting access to a resource, network, application, etc.
Let’s see example
Create a certificate
using windows PowerShell, I am generating a simple self-signed certificate for test.
It will generate a certificate in current directory.
dotnet dev-certs https -ep dev_cert.pfx -p 1234
Create web API
Create a webapi app with following command.
dotnet new webapi -o CerificateAuth
add the required nuget package
dotnet add package Microsoft.AspNetCore.Authentication.Certificate
Program.cs
Open Program.cs and make the following changes.
![](https://static.wixstatic.com/media/0f65e1_f3b22e7ae0fd4611a14f5b42b7eafb12~mv2.png/v1/fill/w_47,h_12,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/0f65e1_f3b22e7ae0fd4611a14f5b42b7eafb12~mv2.png)
Program.cs changes
It tells Kestrel that it needs a certificate to allow any further communication.
Certificate Validation
Add a class which does the certificate validation and add following method.
![](https://static.wixstatic.com/media/0f65e1_9fb12ee06e114cb7bd73de54a1208399~mv2.png/v1/fill/w_47,h_15,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/0f65e1_9fb12ee06e114cb7bd73de54a1208399~mv2.png)
certificate validation
Note: In production, reading certificate should be done via any secure vault.
Authentication Extension
Add a extension class to configure authentication.
public static class AuthenticationExtension
{
public static void ConfigureAuthetication(this
IServiceCollection services)
{
services.AddAuthentication
(CertificateAuthenticationDefaults.
AuthenticationScheme)
.AddCertificate(options=>
{
options.RevocationMode = X509RevocationMode.NoCheck;
options.AllowedCertificateTypes=CertificateTypes.All;
options.Events = new CertificateAuthenticationEvents
{
OnCertificateValidated=context=>
{
var validationService =
context.HttpContext.RequestServices.
GetService<CertificateValidationService>();
if (validationService != null &&
validationService.ValidateCertificate
(context.ClientCertificate))
{
Console.WriteLine("Success");
context.Success();
}
else
{
Console.WriteLine("invalid cert");
context.Fail("invalid cert");
}
return Task.CompletedTask;
}
};
});
services.AddAuthorization();
}
}
In this example, we are simply validating the certificate and returning success, we can extract claims after successful validation.
Startup.cs
Finally we add required code in startup.cs
![](https://static.wixstatic.com/media/0f65e1_bb61625919124089a40fe74600fceba1~mv2.png/v1/fill/w_47,h_25,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/0f65e1_bb61625919124089a40fe74600fceba1~mv2.png)
Startup.cs changes
Controller
we also have to specify the authorize attribute to required controllers.
![](https://static.wixstatic.com/media/0f65e1_2c3f9aa544284bc79b48b4c22a119d39~mv2.png/v1/fill/w_47,h_8,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/0f65e1_2c3f9aa544284bc79b48b4c22a119d39~mv2.png)
controller changes
we are done with changes in API
Let’s build and run to make sure no build errors.
Create client
Create a console app with following command.
dotnet new console -o CerificateAuthClient
and add the following code
![](https://static.wixstatic.com/media/0f65e1_b84fcbbdda7f4e3baeb93c612efcb72c~mv2.png/v1/fill/w_80,h_34,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/0f65e1_b84fcbbdda7f4e3baeb93c612efcb72c~mv2.png)
It is simple client with httpclient, calling API with attaching the certificate.
when we run the client. we get following result.
![](https://static.wixstatic.com/media/0f65e1_e7af6039bbcd418b87a81b617a920724~mv2.png/v1/fill/w_47,h_13,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/0f65e1_e7af6039bbcd418b87a81b617a920724~mv2.png)
We have got the response back.
Test With Postman
Make sure your API is running.
First add the certificate to postman. go to Settings -> Certificates and select add certificate. and add the required info like below.
![](https://static.wixstatic.com/media/0f65e1_044d203a65cb49e48c8ea9c45a9435e8~mv2.png/v1/fill/w_49,h_28,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/0f65e1_044d203a65cb49e48c8ea9c45a9435e8~mv2.png)
Once the certificate is added, we can call our API.
![](https://static.wixstatic.com/media/0f65e1_28ea79f1dbb74691aa76d25c489346d6~mv2.png/v1/fill/w_47,h_16,al_c,q_85,usm_0.66_1.00_0.01,blur_2,enc_auto/0f65e1_28ea79f1dbb74691aa76d25c489346d6~mv2.png)
we can see the result as we successfully get the response back.
You can find full source code at Github
Summary
This is just a simple example. of course we can achieve more with certificate based authentication.
Source: Medium - Nitesh Singhal
The Tech Platform