SSL in ASP.Net Web API


In this article, you will learn about the Secure Sockets Layer (SSL) in the ASP.NET Web API. In the Web API there are many authentication schemes that are not secure over the HTTP. There are two authentications, Basic Authentication and Form Authentication. Both are sent the unencrypted references. If you want to secure the authentication then you must use SSL.

Enable the SSL

We can enable the SSL from Visual Studio. To enable SSL, in the property window, there is s SSL Enabled property. Set this property to True. There is also generate the SSL URL in the property window.


Enforce the SSL in Web API

If both HTTPS and HTTP are available for accessing the site then the client can use HTTP. There are some resources that are allowed by you to be available through the HTTP. And the other resources require SSL. Now we use the action filter to require SSL, that is used for the protected resources.

Sample code

  1. public class Attribute : AuthorizationFilterAttribute  
  2. {  
  3.     public override void OnAuthorization(HttpActionContext actntext)  
  4.     {  
  5.         if (actntext.Request.RequestUri.Scheme != Uri.UriSchemeHttps)  
  6.         {  
  7.             actntext.Response = new HttpResponseMessage(System.Net.HttpStatusCode.Forbidden)  
  8.             {  
  9.                 ReasonPhrase = "Need of HTTPS"  
  10.             };  
  11.         }  
  12.         else  
  13.         {  
  14.             base.OnAuthorization(actntext);  
  15.         }  
  16.     }  
  17. } 

Adding filter to Web API action

We use the namespace:

  1. using System.Web.Mvc;  
  2. public class ValuesController : ApiController  
  3. {  
  4.     // GET api/values  
  5.     [RequireHttps]  
  6.     public HttpResponseMessage Get() { ... }  
  7. } 

Client certificates of SSL client

If the server wants to authenticate the server to the client then it provides the certificate. And SSL provides the certificate by using the public key infrastructure certificates. This is not a common thing for the client to provide the certificate to the client, but it is the only one option for the authenticating clients. To use the client certificate with SSL, the signed certificate needs to be distributed to the users.


  • These certificate references are more powerful than username and password.

  • The SSL gives the purely secure channel with the authentication and message encryption.


  • you need to obtain and manage the PKI certificates.

  • The necessary requirement is that the client platform must support the SSL client certificate.

For configuring IIS to accept the client certificates, open the IIS manager. Perform the following steps.

  • Click the site node in the tree view.

  • Double-click on the SSL setting feature.

  • There is  a Client Certificates, now select one of these options:

You can add this option to the ApplicationHost.config file. This file is located in the "Documents" -> "IISExpress" -> "congif" -> "applicationhost.config".

  1. <system.webServer>  
  2.   <security>  
  3.     <access sslFlags="Ssl, SslNegotiateCert" />  
  4.   </security>  
  5. </system.webServer> 

There is a SslNegotiationCert, this is the flag that determines whether the IIS server will accept the Client certificate. If a certificate is necessary then we set the SslNegotiationCert flag.

Using client certificate in Web API

For using the client certificate we need to get the client certificate by invoking the method GetClientCertificate on the server side, that was generated on the request message. If no client certificate is available then it returns the null value. If it finds the client certificate then it returns an instance of X509Certificate2. We can use this instance to get the information from the certificate. And now use this information for the authentication.

  1. X509Certificate2 certificate = Request.GetClientCertificate();    
  2. string user = certificate.Issuer;    
  3. string sub = certificate.Subject;