https - What is the difference between requiring an SSL cert and accepting an SSL cert?

Question

So I know the fundamental difference between requiring an SSL cert and accepting, one means you must have an SSL certificate and the other means you don't need one.

In my IIS Manager for a certain webpage I have the this setup:

The issue that I am having is that when I set Require SSL Cert and have Client certificates set to accept/ignore I can only get to webpage using HTTPS. Now if I change it to Require, I can no longer access the webpage, even with HTTPS... so I am just trying to figure out what the difference is, and how it effects the webpage.

So maybe my question is phrased wrong... I'm not sure, my understanding on the subject is fairly limited, so any help would be appreciated.

Thanks!

Answer 1

Client-certificate authentication can be optional or mandatory, or not used at all.

• Ignore is when it's not used at all.
• Accept will take a certificate if it's presented, but will also continue with connections where the client doesn't present one.
• Require only continues with connections that have a client certificate.

Client-certificate authentication is something that can only be initiated by the server in SSL/TLS, so this terminology isn't quite correct, but that's what's used in IIS.