Hi Dave,

I am also scratching my head over this one.

(My experience may only be of limited value to you.)

I recently bought a Code Signing certificate which I'm using successfully to
sign my application's ClickOnce manifests.  (I'm using Visual Studio 2005
SP1 + Web Service Enhancements 3.0 to supply a Winform user-app and a
corresponding web service for the data interface).  I'd planned to extend
the use of the certificate to providing message-level protection between the
application and the web service it uses, because I was led to believe that a
code signing certificate could do this.

However, when I try to reference the code-signing certificate in the WSE-3
policy wizard (after hacking around to import it to the appropriate
certificate store), it responds that the certificate doesn't support Data
Encryption.

There is obviously a different type of certificate required to support the
WSE-3 message-level security.  I already have an SSL certificate on our
production web server (only used for HTTPS), so I exported that to a CER
file, then imported it into my dev PC's Local Machine (Personal) certificate
store.  This allowed me to set the WSE policy to reference that certificate,
but I don't know if all this is a "legal" step to use.  I've feeling it may
cause problems when it comes to deployment.

Having said that, my experiment with our SSL cert would seem to indicate
that an SSL certificate DOES (or can) support Data Encryption.  Perhaps you
have a different type of SSL certificate with a restricted use?  (I don't
know whether this is a possibility.)

The patterns & practices documentation in the MS book/PDF for Web Service
Security only refers to "certificates" and "X.509".  For "newbie"
certificate NON-specialists (that's me), it doesn't really make it clear
enough which type of certificate is appropriate for a given scenario (if
indeed there is any difference), or how to use them in a separate dev pc
environment through to the final production deployment.  I find it an
immensely frustrating book at times (project timeline pressures don't help).

What isn't clear to me is whether I can use our existing SSL cert, and if
so, where to import it to on my DEV pc while I code everything up.  (If
anyone from MS is reading this - could you please, please, please provide a
simple, clear, step-by-step walkthrough? - preferrably focussing on username
token based logins and with all dialogs/step pictures so even my tired and
dimwitted brain can follow it!)

I'm going to look at WCF as the alternative to WSE, but on briefly looking
at the MSDN walkthrough docs this morning I wasn't impressed with the number
of (command-line?) operations that seemed to be required to get even a basic
project configured for operating.  I've ordered an O'Reilly book "Learning
WCF" which hopefully might illuminate this technology in a clearer light for
me.

Al