We are designing a client authentication system around (self-issued) certificates where we want a three-level hierarchy:
1) Root CA (our own)
2) Intermediate Certificate
3) Device/Client Certificate
We only want to install the Root CA on the Server(s) for a variety of reasons (potentially large # and changing set of Intermediate Certificates being the main one).
We are able to make this work with IIS 10 / ASP.Net, presumably because the clients send the entire certificate chain in the standard TLS client auth handshake as per RFC5246 7.4.6 / 7.4.2, and IIS considers the certificate valid even without the missing Intermediate Certificate.
Problem: We would like to do custom validation on the Intermediate Certificates and have not been able to find a way to access the certificate chain that is sent by the clients.
Question: Is there any way to access the client cert chain provided in the TLS handshake in ASP.Net? Can this be done with any other handler/module?