I am writing this post as an extension to the previous one, "Creating X509 Certificates for WSE or WCF"
I lately received some feedback from a colleague Albert, and I think it is worth mentioning.
Albert came out with a common dilemma nowadays, "how to buy a X509 certificate for his application to a well know certificate authority".
The main problem here is that these vendors only sell closed products such as e-mail certificates, or SSL certificates, they hardly know about the requirements for WSE (I guess, WCF should have similar requirements).
According to what Albert found out, a certificate for WSE should have the following attributes:
KeyUsage: Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment (f0)
Enhanced Key Usage: Client Authentication (220.127.116.11.18.104.22.168.2)
this one seems to be optional - Server Authentication (22.214.171.124.126.96.36.199.1)
But, most SSL certificates have the following properties:
KeyUsage: Digital Signature, Key Encipherment (a0)
Enhanced Key Usage: Server Authentication (188.8.131.52.184.108.40.206.1) Client Authentication (220.127.116.11.18.104.22.168.2)
Which explains why a normal SSL certificate can not be used by WSE (and you receive the "Certificate does not support data encryption" error message).
As a result, knowing those requeriments, Albert could finally buy the right certificate to one of the well-know vendors. (Sorry, I will not add any marketing stuff here). So, if you ever need to buy a certificate for WSE or WCF, ask for those certificate characteristics to avoid any problem in advance.