If you want to verify that the message came from the server, you should sign it with a private key from a public/private key pair. You can then verify the signature in the client using the public key. This way you know that the request came from the server (assuming your private key isn't compromised. Keep it safe!). This is how Windows update works, as well APT and YUM.
Note though, that this will only prevent someone impersonating your server. It won't encrypt the data, and it won't guarantee anything about the client. You can't do the same thing in reverse (sign client originating data with a client private key) because anything that comes from the client can be tampered with/spoofed or otherwise malicious. If you want the client information to be encrypted you can encrypt it with the servers public key and only the server's private key will decrypt it.