We have a C# .NET http handler that we are trying to secure by using X509 certificates that are shared between our structure servers and a customer's work stations. However, there is relatively little documentation on how to handle 509 cert authentication on the code level. The client's cert will be attached to the web request, and the server's certs will be in the local store, so assumedly getting both of these certs will not be a huge problem. However, what data points should we be looking for, and in what relations, to make sure that the client's cert is valid? I've perused the life cycle for public-private key authentication associated with X509, but I've found no way to handle all of the steps cleanly in .NET. Any help?