I am a little new to WCF and web security, so I am very grateful for a clear explanation of the following concepts:
I understand that if I want to create a secure connection to a website, I need to have an SSL certificate from a trusted authority, for example. Verisign, Thawte, etc.
Now I am writing a SaaS application with a central web service and the number of client applications that connect to the central web service. I want to provide a secure connection between the client and the server, so I have an SSL certificate on my server.
But WCF now comes with this concept of a “client certificate”, which seems to be required to validate my server-side certificate and which I don’t fully understand. The client will be downloaded by some anonymous guy halfway around the world. I have no idea what certificates it will or will not be installed - and I do not care! All I want is security between the client and the server. Should I somehow install my own certificate on the client?
Can someone explain these concepts to me?
(And while you are on it, I have a related question here with its generosity.)
source
share