Require SSL Client Certificate only for specific routes or controllers

I have figured out how to have Client Certificate only on some routes but when run in Azure Web App, the client cert is not being passed to the code. It is the same problem when running under IIS Express.

In this example, One controller needs no cert, the other two requires different certs. https://github.com/xavierjohn/ClientCertificateMiddleware

The certificate does get passed through if it is not run under IIS Express.

I've been trying to do the same thing, with exactly the same requirements as you.

I've come to the conclusion that it's not possible. My workaround is to use 2 WebHostBuilder objects - one for locations that don't need client certs, and one for those that do. This does have the downside that each IWebHost must listen on a different port, but from the scenario you describe I guess that's not a big issue.

I do this within the same process, so this solution fits that requirement.

I had the same issue with context.Connection.GetClientCertificateAsync(); it was always returning null. Then I noticed that I was running Kestrel thru IIS Express all the time.

So in Visual Studio from the Debuger toolbar I changed from IIS Express to my project. Kestrel was started as console application and I was able to get the client certificate.

I think that IIS Express does not support client certificates so the certificate was always ignored.

For the other part of the question; I think Kestrel dos not support this granularity that you are looking out of the box when using the HttpsConnectionFilterOptions. From the Kestrel Connection Filter Options source code the connection will be dropped if the client certificate is null. Maybe you can modify the source code for the HttpsConnectionFilterOptions and create your own filter from it. Then you can use the ClientCertificateValidation property to specify custom certificate validation method that will allow the connection when no client certificate is send.

Hope this helps.