Make sure you use the wse certificate tool to assign Read permission to
ASPNET on the certificate's private key file.

I'm finishing up a web service that uses WSE2.0 to sign the request and
encrypt the SOAP body (both request and response).  I'm using the code
approach (not policy).  Everything works fine with the QuickStart Sample
X.509 certs supplied with the WSE2.0 SP2 SDK.

I'd like to use self signed certs for the following reasons:
--the web service will be consumed internally (no need for CA traceability)
--it won't see a tremendous load (minor performance hit from self-signed
verts should be fine)
--I don't want to have to worry about expiring certs

The problem I'm having is that the certs I've created so far with Makecert
don't work.  I either get a "Bad Key" or "The security token could not be
authenticated or authorized" errors during the creation of the web service
request on the client side. I've double-checked the cert imports and private
key ACL rights and everything is fine.

The makecert approaches I've used to get two certs with private keys are
(where xxx = "WSClient" and "WSServer"):

makecert -r -n "CN=xxx"  -sv xxx.pvk xxx.cer
cert2spc xxx.cer xxx.spc
pvkimprt -pfx xxx.spc xxx.pvk

AND

makecert -cy authority -r -n "CN=demos1.Softwaremaker.NET" -sr
localmachine -ss "Trust"

makecert -cy end -n "CN=demos1.Softwaremaker.NET SERVER" -sky exchange -sk
"demos1.Softwaremaker.NET Server" -ss "My" -sr localmachine -in
"demos1.Softwaremaker.NET" -ir localmachine -is "Trust"

makecert -cy end -n "CN=demos1.Softwaremaker.NET CLIENT" -sky exchange -sk
"demos1.Softwaremaker.NET Client" -ss "My" -sr localmachine -in
"demos1.Softwaremaker.NET" -ir localmachine -is "Trust"

Can anyone provide me with makecert command lines for self signed
private-key certs that they know work with WSE2.0?  Or, are there any MVPs
out there that know how the Quickstart sample certs were created?

Thanks in advance,
Andy