Our ASP.NET webapi application is hosted on IIS 8 and requires SSL as well as client certificates. As expected it is protected with a server certificate and any incoming requests must carry a valid client certificate.
Our IT manager created a root CA for the company, which then issued the server and client certificates. Everything works as expected and access is allowed if the request contains a client certificate with the private key, but not if it contains a certificate without the private key (403 Forbidden is returned).
As far as my understanding, that is as it should be, since part of the SSL handshake appears to be for the server to encrypt a token with its public key and see if the client certificate can decrypt it with its private key.
Out IT Manager says the private-key client certificate should only be necessary for browser-based access, but not direct webapi access. He is rightly cautious in not giving out the private key unless necessary, but it appears we must give the private-key certificate to our client who will access the api.
Given all this, is there a way to configure IIS (and/or a webapi application hosted on it) to work with client certificates that do NOT include a private key? Or am I correct in thinking that we need to give our client a certificate that includes the private key? Perhaps it's not a question of IIS configuration but one of configuring the server and client certificate when generating them to fore go private key usage?