IIS Hosted .Net WebAPI is using Mutual TLS (MTLS). I need to verify the request signing process. WebAPI is used to exchange message between two systems secured with oAuth (Bearer token authentication) and MTLS. Suppose IIS hosted url looks like this: www.webapi.com/api/v1/sendmessage Client has a valid client certificate for MTLS. Client Sends request payload: (XML or JSON payload) Client Receives response: (XML or JSON) How to verify request payload signing? is it a code level and I have trace/log it in file or something? or we can configure it in IIS? If using request signing, can we also do response signing? The purpose of signing is to exchange untampered message between two systems, so I guess Certificate Verification process in MTLS handles it automatically, am I correct? How to verify and confirm the request is signed and using MTLS.

How to verify request signing with IIS

Piyush Meshram 1

IIS Hosted .Net WebAPI is using Mutual TLS (MTLS). I need to verify the request signing process.

WebAPI is used to exchange message between two systems secured with oAuth (Bearer token authentication) and MTLS.

Suppose IIS hosted url looks like this: www.webapi.com/api/v1/sendmessage
Client has a valid client certificate for MTLS.

Client Sends request payload: (XML or JSON payload)
Client Receives response: (XML or JSON)

How to verify request payload signing? is it a code level and I have trace/log it in file or something? or we can configure it in IIS?
If using request signing, can we also do response signing?
The purpose of signing is to exchange untampered message between two systems, so I guess Certificate Verification process in MTLS handles it automatically, am I correct?
How to verify and confirm the request is signed and using MTLS.

Lex Li (Microsoft) 4,742 Reputation points Microsoft Employee

2021-08-04T05:39:05.603+00:00

MTLS conversations happen in network layer, so your C# code in application layer has no chance to know the details.