SSL and .NET Remoting

Here are some lessons learned this week when I set up SSL on our development web server for our .NET remote server, hosted by IIS.

Our windows forms client uses a remote server hosted by IIS.  We want to encrypt the data sent to and from this remote server.

I first went to Verisign's web site and got a 14 day trial certificate.  I then did some research on what is SSL and how to use it.  Ingo Rammer was kind enough to help with this research.  Thanks Ingo.  Most of the below is taken straight from Ingo.

SSL supports two different modes of operation: encryption and authentication. Encryption is the default and "always on" if you will. The most common way of using SSL for authentication is to use a server-side certificate so that the client can authenticate the server.  Am I really talking to who I think I am talking to?  

You can also use SSL to authenticate the *client*. In this case, the client also needs a certificate. The client can then send the certificate as a credential instead of using his username and password.  In our case, we want to use the first mode of operation: a server-side certificate should ensure that the client is talking to the right server *and* SSL should be used to encrypt data. As soon as you use an HTTPS url, this automatically works.

The checkbox "Require Client Certificate" switches to the second mode:  the use of client-side certificates to authenticate users. That's also the reason why you're getting HTTP 403 errors: simply because your server has now been configured to require a client-side certificate to be sent with the requests, but your client didn't send any (you'd have to manually add code for this). That's why the caller can not be authenticated and therefore the call not be authorized.

But in any case: as soon as you use an HTTPS-Url, you are running in "encrypted" mode. It's just that you use SSL only for encryption and not for client-side authorization.