gistfile1.txt

using Microsoft.AspNetCore.Authentication.Certificate;
using Microsoft.AspNetCore.Server.Kestrel.Https;
using System.Security.Claims;

var builder = WebApplication.CreateBuilder(args);

// Autenticação por certificado digital
builder.Services.AddAuthentication(CertificateAuthenticationDefaults.AuthenticationScheme)
    .AddCertificate(options =>
    {
        options.AllowedCertificateTypes = CertificateTypes.All;
        options.RevocationMode = System.Security.Cryptography.X509Certificates.X509RevocationMode.NoCheck;

        options.Events = new CertificateAuthenticationEvents
        {
            OnCertificateValidated = context =>
            {
                var cert = context.ClientCertificate;

                var claims = new[]
                {
                    new Claim(ClaimTypes.Name, cert.Subject),
                    new Claim("Thumbprint", cert.Thumbprint)
                };

                context.Principal = new ClaimsPrincipal(
                    new ClaimsIdentity(claims, context.Scheme.Name)
                );

                context.Success();
                return Task.CompletedTask;
            },
            OnAuthenticationFailed = context =>
            {
                context.Fail("Certificado inválido.");
                return Task.CompletedTask;
            }
        };
    });

builder.Services.AddAuthorization();
builder.Services.AddControllersWithViews();

// Configuração do Kestrel (somente em desenvolvimento)
if (!builder.Environment.IsProduction())
{
    builder.WebHost.ConfigureKestrel(options =>
    {
        options.ConfigureHttpsDefaults(httpsOptions =>
        {
            httpsOptions.ClientCertificateMode = ClientCertificateMode.RequireCertificate;

            httpsOptions.ClientCertificateValidation = (cert, chain, errors) =>
            {
                // Validação básica do certificado (aceita todos)
                return true;
            };
        });
    });
}

var app = builder.Build();

app.UseHttpsRedirection();
app.UseStaticFiles();

app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();

app.MapDefaultControllerRoute();

app.Run();



// Controller 

using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;

[Authorize]
public class CertificadoController : Controller
{
    public IActionResult Index()
    {
        var cert = HttpContext.Connection.ClientCertificate;

        if (cert == null)
            return Content("Nenhum certificado recebido.");

        return Content($"Certificado recebido: {cert.Subject}");
    }
}


//web config 

<configuration>
  <system.webServer>
    <security>
      <access sslFlags="Ssl, SslRequireCert" />
    </security>
  </system.webServer>
</configuration>


// launch settings 

{
  "iisSettings": {
    "windowsAuthentication": false,
    "anonymousAuthentication": true,
    "iisExpress": {
      "applicationUrl": "http://localhost:5090",
      "sslPort": 44390
    }
  },
  "profiles": {
    "IIS Express": {
      "commandName": "IISExpress",
      "launchBrowser": true,
      "launchUrl": "certificado",
      "environmentVariables": {
        "ASPNETCORE_ENVIRONMENT": "Development"
      }
    },
    "SeuProjeto.Web": {
      "commandName": "Project",
      "dotnetRunMessages": true,
      "launchBrowser": true,
      "applicationUrl": "https://localhost:5001;http://localhost:5000",
      "launchUrl": "certificado",
      "environmentVariables": {
        "ASPNETCORE_ENVIRONMENT": "Development"
      }
    }
  }
}