Home/ Questions/Q 8987901
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-15T21:54:05+00:00

I have a custom X509CertificateValidator that currently validates a series of rules against a

  • 0

I have a custom X509CertificateValidator that currently validates a series of rules against a certificate presented for a WCF SOAP message.

There is a requirement to check the CN name on the certificate against the domain the certificate is being presented by, but I’m not aware that I have access to the request from within the X509CertificateValidator.

Is there any way to check that the certificate matches the request domain?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I haven’t found any way to do this from within the X509CertificateValidator, but it is possible within the service.

    Here is my first cut – I will be refining it to make it more elegant, but this works.

        private static void ValidateRequestIsFromCertificateDomain()
    {
        RemoteEndpointMessageProperty endpointProperty = OperationContext.Current.IncomingMessageProperties[RemoteEndpointMessageProperty.Name] as RemoteEndpointMessageProperty;
        var claimSet = OperationContext.Current.ServiceSecurityContext.AuthorizationContext.ClaimSets[0] as X509CertificateClaimSet;

        string domain = claimSet.X509Certificate.GetNameInfo(X509NameType.DnsName, false);
        var resolvedAddress = System.Net.Dns.GetHostAddresses(domain);

        if (resolvedAddress.Count() == 0 || endpointProperty.Address != resolvedAddress[0].ToString())
        {
            throw new SecurityException("Client address mismatch");
        }
    }

    This isn’t really required because the client encrypts data with its private key that can only be decrypted with its public key – so you know the certificate is being presented by the real client.

    However, if you are given this as an integration requirement as I have been, this may be useful to you.

    • 0