Hi All,
I have a WebApi application which is going to be contacted by client with an X509 certificate.
We are waiting for some extra info from the customer's security people.
Meanwhile, generally speaking, I wonder:
I am able to get the certificate on my server (proved to be easy: Request.GetClientCertificate()
), then:
1. what do I do with it?
(i'd like to find the user from the certificate specific to his device and, of course, "validate" the certificate, whatever that entails)
2. How is that more secure that login/password? can't someone steal a certificate and then reuse it on their own device?