This has always been a big point of confusion, both for developers (like me) and admins.
SSL Certificates are misnamed. They are not for SSL only. I wish all of the CA’s would just call them “Web Server Certificates”. How and where you install them determines whether or not they are used for SSL.
I remember my first conversation with tech support at Verisign trying to find out how much one cost. This was when I was playing with WSE 1.0. I was extremely clueless. The conversation went something like this:
me: I’m trying to find a server certificate to use for Web Service Enhancements
me: I think it’s just called a “web server certificate”. You have SSL certificates, but I don’t want SSL. I’m not doing SSL.
It went on for a while.
I finally learned that the trick was just to buy an SSL cert, install it on the server and don’t bother with the IIS intallation of it. That’s what I do.
I couldn’t figure out how to explain this to an i.t. person who is used to SSL. They were very wary of installing it on the web server because I wanted to do something wierd with it.
With WS-Security picking up more steam and WCF around the corner, I think thre are going to be many conversations like this in the future. If they just called them Web Server Certificates, it would prevent a lot of frustration out there in the world of web service developers.
Don’t Forget: www.acehaid.org
Sign up for my newsletter so you don't miss my conference & Pluralsight course announcements!