Is an exported SSL cert required for a client of a WCF application?

Question

I have a WCF application that is configured for transport security only. The web server hosting that application has an SSL cert installed for that app.

A customer is building their own client to consume the WCF services. Their development team is insisting that they need me to provide them with the SSL cert to be installed on their side.

This doesn't make sense to me. Why would they need me to export my cert and provide it to them? With transport security, doesn't it work just like a browser does where the connection simply goes over HTTPS without extra work on the client?

Before I tell them that they are wrong, I want to make sure I am right.

Answer 1

I created a sample application for the scenario and it is not necessary for the consuming client to include a certificate (given configurations similar to below are used)

WCF service with Transport security only

Bindings

<wsHttpBinding>
    <binding name="wsHttpBindingConfiguration" receiveTimeout="00:10:00"  sendTimeout="10.00:00:00" maxBufferPoolSize="1073741824" maxReceivedMessageSize="1073741824">
      <readerQuotas maxDepth="32" maxStringContentLength="2147483647" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384"/>
      <security mode="Transport">
        <transport clientCredentialType="None"></transport>
      </security>
    </binding>
 </wsHttpBinding>

The configuration of the service endpoints

<service behaviorConfiguration="noClientCertBehavior" name="WCFCallbackTry.Service1">
    <endpoint address="https://machineName:8056/Service1.svc" bindingConfiguration="wsHttpBindingConfiguration" binding="wsHttpBinding"
      contract="WCFCallbackTry.IService" name="HttpsEndPoint" />
    <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
    <host>
      <baseAddresses>
        <add baseAddress="https://machineName:8056/Service1.svc"/>
      </baseAddresses>
    </host>
 </service>

Service Behavior

<behavior name="noClientCertBehavior">
      <serviceDebug includeExceptionDetailInFaults="true"/>
      <serviceMetadata httpsGetEnabled="true"/>
      <serviceCredentials>
        <serviceCertificate findValue="9d4c41cde9d2b82d751a1234fd2eb6df98d3b576" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint"/>
      </serviceCredentials>
</behavior>

Client

Bindings and endpoint

<system.serviceModel>
<bindings>
  <wsHttpBinding>
    <binding name="HttpsEndPoint">
      <security mode="Transport">
        <transport clientCredentialType="None" />
      </security>
    </binding>
  </wsHttpBinding>
</bindings>
<client>
  <endpoint address="https://machineName:8056/Service1.svc" binding="wsHttpBinding"
    bindingConfiguration="HttpsEndPoint" contract="ServiceReference1.IService"
    name="HttpsEndPoint" />
</client>

Also refer link for more information on different configurations

Note:Client and Service reside on same machine