Moving forward with re-designing a web service architecture using WCF, our team has been discussing how we want to expose the endpoints. Example: I have a standard endpoint that all users could use with the proper token, but I also have some number of endpoints that will instead use certificate security. All endpoints will ultimately use the same implementation, so this is really just different ways of getting in to the system.

The certificate endpoints will have to point to a specific certificate in the store so will only work for one specific client. The thought is that our standard service could live at http://mysite.com/MyService.svc and the certificate endpoints would be something like http://mysite.com/MyService.svc/Acme. The concern here is that I’m effectively putting our client list into our WSDL, which is not desirable.

What’s the best practice here? Is there a way to direct multiple clients through a single certificate endpoint and get the cert on the code side (how would we know which client we’re dealing with without a specific endpoint)? What’s the best way to hide that client list? Is there an entirely better solution I’m not seeing?