This is just something to remind myself next time I need to implement a WCF service using the BasicHttpBinding with transport-only security (SSL + client certificates)':

• WCF expects that the "Require SSL" option in IIS is enabled.
• If Metadata Exchange is needed, configure the MEX endpoint with a custom binding with the right settings; otherwise the service won't start.
• Remember to set httpsGetEnabled="true" option in the <serviceMetadata> service behavior instead of the usual httpGetEnabled attribute.
• WCF does not understand the "Accept Client Certificates" option in IIS. It treats it the same as "Ignore Client Certificates" option.

To use client certificates:

• Enable the "Require Client Certificates" option in IIS
• On the service side, use a custom binding to set the requireClientCertificate option of the httpsTransport binding element:

  <bindings>

     <customBinding>

        <binding name="sslBasicHttp">

           <textMessageEncoding messageVersion="Soap11" />

           <httpsTransport requireClientCertificate="true"/>

        </binding>

     </customBinding>

  </bindings>

• On the client side, use basicHttpBinding with the security mode set to "Transport" and the option clientCredentialType set to "Certificate" on the <transport/> element.

Windows Communication Foundation