This certificate is usually part of a certificate chain, and the root certification authority can be found in the trusted root certification authority store of your computer. Having a certificate chain allows you to define a set of certificates, where the root certification authority is usually from your organization or business unit. In order to simulate this situation at development time, two certificates need to be created to meet the security requirements. The first certificate is a self-signed certificate, which is placed in the trusted root certification authority store; Create a second certificate from the first certificate and put it in the personal storage at the local computer location or the personal storage at the current user location. This topic will guide you through the steps of creating these two certificates using the certificate creation tool (MakeCert.exe) provided by. NET framework SDK. Important: Certificates generated by the certificate creation tool are only used for testing purposes. When deploying a service or client, make sure to use the appropriate certificate provided by a certification authority. This may be a Windows Server 2003 certificate server from an organization or a third party. By default, Makecert.exe (certificate creation tool) creates a certificate, which the root certification authority calls "root certificate agent". Because the root certificate agent is not a trusted root certificate authority store, this will make these certificates insecure. By creating a self-signed certificate that is placed in the trusted root certification authority store, you can create a development environment very similar to your deployment environment. For more information about creating and using certificates, see Using Certificates. For more information about using certificates as credentials, see Protecting Services and Clients. For a tutorial on using Microsoft Authenticode technology, please refer to Authenticode Overview and Tutorial. Create a self-signed root certification authority certificate and export the private key using the MakeCert.exe tool and the following switch: -nsobjectname. Specify the theme name. The convention is to add the prefix "CN =" before the "common name" of the topic title. -r. Specifies that the certificate will be self-signed. -svprivateKeyFile. Specifies the file that contains the private key container. For example, the following command creates a self-signed certificate with the subject name "CN=TempCA". Makecert-n "cn = tempca"-r-svtempca.pvktempca.cer system will prompt you to provide a password to protect the private key. This password is required to create a certificate signed by this root certificate. Creating a new certificate signed by the root certificate authority certificate uses the MakeCert.exe tool and the following switch: -sksubjectKey. The location of the subject key container where the private key is saved. If the key container does not exist, one will be created. If neither the -sk option nor the -sv option is used, a key container named JoeSoft is created by default. -nsobjectname. Specifies the theme name. The convention is to add the prefix "CN =" before the "common name" of the topic title. -ivissuerKeyFile. Specifies the issuer's private key file. -icissuerCertFile. Specifies the issuer's certificate location. For example, the following command uses the issuer's private key to create a certificate with the subject name "CN=SignedByCA", which is signed by the TempCA root certification authority certificate. Make cert-sk signed by ca-iv tempca.pvk-n "cn = signed by ca"-ictempca.cer signed by ca.cer-sr currentuser-ssmy After installing a certificate in the trusted root certificate authority store to create a self-signed certificate, you can install it in the trusted root certificate authority store. The computer here trusts any certificate signed with this certificate. For this reason, when you no longer need a certificate, you can immediately delete it from the store. When you delete this root certification authority certificate, all other certificates it signed will become unauthorized. The root certification authority certificate is just a mechanism, and a set of certificates can be defined if necessary. For example, in a peer-to-peer application, you usually don't need a root certificate authority because you only trust the personal identity of the certificate provided by the other party. Install a self-signed certificate in the trusted root certification authority and open the certificate snap-in. For more information, see How to: View Certificates Using the MMC Snap-in. Open the folder where you want to store the certificate, the local computer or the current user. Open the trusted root certification authorities folder. Right-click the Certificates folder, click All Tasks, and then click Import. Follow the instructions of the on-screen wizard to import TempCa.cer into the storage area. After WCF installs temporary certificates with certificates, you can use these certificates to develop WCF solutions that specify certificates as client credential types. For example, the following XML configuration specifies message security mode and certificate as client credential types. Specify the certificate as the client credential type. In the configuration file of the service, use the following XML to set the security mode to message and the client credential type to certificate. XmlLang & lt binding & gt & ltwshttpbinding & gt< binding name = "certificate for client" >< security & gt< message clientcredential type = "certificate"/> & lt/security & gt； & lt/binding & gt； & lt/wsHttpBinding & gt； & lt/bindings & gt； In the configuration file of the client, use the following XML to specify that the certificate exists in the user store, which can be found by searching for the value of "CohoWinery" in the SubjectName field. XmlLang & lt behavior & gt & ltendpointbehaviors & gt< behaviorname = "certforclient" >< client credentials & gt< client certificate findvalue = "Coho Winery" x509findtype = "FindbySubjectName"/> & lt/clientCredentials >& lt/behavior & gt； & lt/endpoint behaviors & gt； & lt/behaviors & gt； For more information about using certificates in WCF, see Using Certificates. Security Please ensure that all temporary root certification authorities certificates are deleted from trusted root certification authorities and personal folders by right-clicking the certificate and clicking Delete.