Am I correct in understanding that a WCF Service could be setup with "Transport Security", + "Certificate Authentication" and without a "Client Certificate" installed client side?
My scenario would be:
- WCF Services on Remote Server
- Windows Forms Client shipped potentially to hundreds of users (authenticates users (against DB) and performs actions over WCF service methods)
I want my messages encrypted over SSL, that is why I have selected the "Transport" method and I believe why I also need the server certificate.
I have followed a walkthrough which gave me all of the above but included necessity of having a client certificate installed? If I am shipping this windows forms app to clients, how could they install the certificate if I was forced to require this? It really seems like I'm missing a big point here as I would think installing a certificate to a users machine would be quite a big ask.
PS. Potentially from what I am reading here, am I over-complicating my task at hand? Do I just need an SSL certificate installed into our web server and simply access the WCF service via HTTPS and possibly be able to just use basicHttpBinding? Effectively not needing to worry about 'certificate authentication' mechanisms?