Note about makecert.exe
Whenever i tried to decrypt an instance of EncryptedXml a CryptographicException (“Bad Key.") was thrown and when i tried to use a mutualCertificate11Security assertion (WSE 3.0) the same CryptographicException (“WSE600: Unable to unwrap a symmetric key using the private key of an X.509 certificate. Please check if the account ‘ASPNET’ has permissions to read the private key of certificate with subject name… “) was thrown.
The problem is that by default, makecert.exe generates a key type that is suited for signature. If you want to use the key for other purposes than signing (eg: SSL authentication) you have to use the -sky exchange option. The following commands made my problems disappear:
makecert -n "CN=Client" -pe -ss My -sr CurrentUser -sky exchange client.cer makecert -n "CN=Host" -pe -ss My -sr LocalMachine -sky exchange host.cer