This has always been a big point of confusion, both for developers (like me) and admins.

SSL Certificates are misnamed. They are not for SSL only. I wish all of the CA's would just call them "Web Server Certificates". How and where you install them determines whether or not they are used for SSL.

I remember my first conversation with tech support at Verisign trying to find out how much one cost. This was when I was playing with WSE 1.0. I was extremely clueless. The conversation went something like this:

me: I'm trying to find a server certificate to use for Web Service Enhancements

them: huh?

me: I think it's just called a "web server certificate". You have SSL certificates, but I don't want SSL. I'm not doing SSL.

them: huh?

It went on for a while.

I finally learned that the trick was just to buy an SSL cert, install it on the server and don't bother with the IIS intallation of it. That's what I do.

I couldn't figure out how to explain this to an i.t. person who is used to SSL. They were very wary of installing it on the web server because I wanted to do something wierd with it.

With WS-Security picking up more steam and WCF around the corner, I think thre are going to be many conversations like this in the future. If they just called them Web Server Certificates, it would prevent a lot of frustration out there in the world of web service developers.