I have a requirement to use Web API, and implement security on those calls. I know how to do what I need in WCF, but Web API is frustrating in its efforts to be simpler. SSL, I think I got that. I have a cert installed on the server, that I somehow need to also install on the client, and I set that by adding the cert to the WebRequestHandler.ClientCertificates property... I think that's how it works.
But I also wanted to implement message security where I sign and encrypt the message with a personal certificate installed on the client and the client only. This certificate could then be used to verify the identity of the client, and process the message.
My question is, then, threefold
HTTP itself does not have a specification to do message security. You could roll your own, but you are on your own here.
I think you got the SSL part wrong - the server cert does not need to be installed on the client. You simply need to use a cert that is trusted by the client (e.g. the issuer is trusted).
In addition you can use a client certificate to authenticate the client.