I am trying to create a simple "hello world" web service and client
that uses X.509 to encrypt the message, all in C# using Visual Studio
2003 and WSE 2.0 SP1.

I have tried using both the sample certificate supplied with WSE 2.0 as
well as generating my own certificate using makecert.

When I use the WSE sample certificate, I have found it works either if
I install the private key on the client and the public certificate on
the server; or if I install the public certificate on the client and
the private key on the server. (Using the "Current User" store on the
client, and the "Local Machine" store on the server.) Either way, I can
use the same certificate key id on the client to get the certificate
and add an EncryptedData security element to my Soap context on the
client side. The server correctly handles the incoming message either
way. (Though I am a bit confused by the naming of the WSE-supplied
certificate files - the only private and public *pair* is named "Server
Public" and "Server Private" - there is no "Client Public," so for the
above-described test I was forced to use the Server keys.)

My understanding is that if I put the private key on the client and the
public certificate on the server, what I am essentially doing is
ensuring that on the server-side, I can securely believe that the
message came from that particular client - because nobody else should
have that private key. Conversely, if I put the private key on the
server and the public certificate on the client, that essentially would
mean that I am ensuring that only the server can read the message - but
anyone could have sent it.

Then I tried to create my own certificate instead of using the
WSE-supplied sample - using the same client and server code and config
files, only changing the key id used by the client to find the
certificate. I generated the certificate using makecert (makecert -n
"MyTestCert" -sv MyTestCert-private.pvk -sky exchange
MyTestCert-public.cer), and extracted the private key using cert2spc
(cert2spc MyTestCert-public.cer MyTestCert-public.spc) and pvkimprt
(pvkimprt -pfx MyTestCert-public.spc MyTestCert-private.pvk).

Unfortunately, using the key id for my own certificate - I can only use
this certificate by putting the private key on the server and the
public certificate on the client. If I do it the other way around, the
server complains that it cannot find the private key (which it
shouldn't need).

Or, I can put the private key on the client and the public key on the
server - but then I can only sign the message from the client, I can't
encrypt it (without giving the server the private key as well).
What am I missing here?

Thanks,
Ethan