Does IIS do the SSL certificate check or do I have to verify it?

Question

I have a IIS set up to only accept client connections with a SSL certificate. I have a WCF service running on IIS. I have a Certification Authority in the servers trusted CA

Answer 1

Yes, IIS validates client certificate for mutual authentication, you don't have to check it in your web service code.
Check this article, it will be more clear.

Answer 2

If you configured IIS to demand mutual HTTPS (SSL with client certificates) the IIS / http.sys is responsible for validating the certificate and client certificate must be either in trusted people store or it must be issued by trusted CA. The certificate is validated during security handshake for establishing SSL connection. When IIS is used to host WCF service this validation is done outside of WCF (in case of self hosting you can use custom certificate validation).

If you want to restrict access to the service to only limited subset of clients (with certificates issued by just single CA) you should move this requirement from authentication (validating certificate) to authorization = custom AuthorizationPolicy in your WCF service where you will validate that certificate was issued by correct CA = the client is authorized to call your service.

Trusted issuers can be also configured on system level with netsh - check sslctlidentifier and sslctlstorename. This configuration will be global for the whole port (web site) so if you have multiple web applications or services with different requirements hosted on the same port this will not be an option for you.