Solution sketch:

1) Define and register a custom X509CertificateValidator on the client

2) In the Validate method, compare the given certificate with the one present in the client s EndpointAddress.Identity property. The object referenced by this property should have the X509CertificateEndpointIdentity exact type.

I didn t test this solution, however it makes perfect sense to me.

HTH Pedro

[UPDATE] While setting certificateValidationMode to none will make the exception go away, it is unacceptable solution from security point of view.

It makes the client merely acknowledge that it receive some certificate, without getting into details. This makes all range of man in the middle attacks possible. It still won t validate the information sent by (alleged) service against the certificate dumped in the config.

You are wrong. This will do perfectly. That s actually what you want - your certificate to not be validated. All you need is to set the identity of the endpoint on the client to

<identity>
  <certificate encodedValue="encoded certificate"/>
</identity>

When the client connects to the server WCF will compare the two certificates and throw an exception if they do not match. And you are perfectly safe.

Using a custom validator like Pedro Felix suggested is completely unnecessary in your case. That s exactly what the endpoint identity is for.

Sorry, I cannot comment on other answers.

I just tested this in .NET 4.0 and I can confirm that the "Zeratul" s answer is correct. Explicitly settings the identity of the service either in config, or programmatically is sufficient for server authentication. There is no need to validate certificate by any other means (i.e. you can set "certificateValidationMode" to "None") since you are using the ultimate validation method - comparison of the thumbprint of the certificate.

@AlexDrenea

"serviceCertificate" is not used for validation. It is used with message security to encrypt messages before they are sent to the server. See Microsoft s documentation about this:

http://msdn.microsoft.com/en-us/library/ms731782.aspx

This is an additional comment to my previous answer. Sorry I cannot comment answers.

Moreover you do not need to set any identity on the server. Forget about what WSDL tells you about the identity of the server. The identity of a remote service endpoint is decided by the client during runtime. If the server uses SSL then it has several identities: the common name of the certificate (i.e. a DNS identity), a certificate identity and an RSA identity (not sure about the last one). Therefore, you can check the server s identity by anyone of these criteria (or by several of them).

You are corect and almost finished configuring the client configuration. You are missing one last thing (as mentioned in the error description) : you need to set the revocationMode to NoCheck in the configuration:

 <behaviors>
  <endpointBehaviors>
    <behavior name="SecureMessageUserName">
      <clientCredentials>
         <serviceCertificate>
            <authentication revocationMode="NoCheck"/>
         </serviceCertificate>
      </clientCredentials>
    </behavior>
  </endpointBehaviors>
 </behaviors>

If you need more details, just let me know and I ll post a full working client configuration.

Edit sorry for the delay

You should also add the noCheck in the server configuration :

<behavior name="X509SecureBehavior">
          <serviceMetadata httpGetEnabled="true" />
          <serviceDebug includeExceptionDetailInFaults="true" />
          <serviceCredentials>
            <serviceCertificate storeName="My" storeLocation="CurrentUser" x509FindType="FindByThumbprint" findValue="aaaa" />
            <clientCertificate>
              <authentication certificateValidationMode="None" revocationMode="NoCheck" />
            </clientCertificate>
          </serviceCredentials>
        </behavior>

Also I didn t include the certificate reference in the endpoint definition.