The solution was found in a combination of steps from two useful articles found on CodePlex that shows creating certs, assigning permissions and web.config settings for client and server.
Server Article
How To: Create and Install Temporary Certificates in WCF for Message Security During Development
http://wcfsecurity.codeplex.com/wikipage?title=How%20To%20-%20Create%20and%20Install%20Temporary%20Certificates%20in%20WCF%20for%20Message%20Security%20During%20Development&referringTitle=How%20To%20-%20Use%20Certificate%20Authentication%20and%20Message%20Security%20in%20WCF%20calling%20from%20Windows%20Forms
Client Article
How To – Use Certificate Authentication and Message Security in WCF calling from Windows Forms
http://wcfsecurity.codeplex.com/wikipage?title=How%20To%20-%20Use%20Certificate%20Authentication%20and%20Message%20Security%20in%20WCF%20calling%20from%20Windows%20Forms
Server Steps
On Server, make CA
makecert -n "CN=RootCAMyCompanyName" -r -sv RootCAMyCompanyName.pvk RootCAMyCompanyName.cer
password: aSuperSecretPassword19
On Server, import into RootCAMyCompanyName.cer into Trusted Root Certification Authorities
On Server, Make Cert
makecert -sk MyCompanyNameKey -iv RootCAMyCompanyName.pvk -n "CN=MyCompanyNameCert" -ic RootCAMyCompanyName.cer -sr localmachine -ss my -sky exchange -pe MyCompanyNameCert.cer
On Server, Find Private Key
FindPrivateKey.exe My LocalMachine –n "CN=MyCompanyNameCert"
On Server, Grant Access to Private Key, note switches at end of statement
cacls.exe "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\Machinekeys\abc57b73466481beba7b0e1b5781db81_c225a308-d2ad-4e58-91a8-6e87f354b030" /E /G "NT AUTHORITY\NETWORK SERVICE":R
Service Web.config
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="Binding1">
<security mode="Message">
<message clientCredentialType="Certificate"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service name="TestService.Service1" behaviorConfiguration="ServiceBehavior1" >
<endpoint
name="wsHttpEndpoint"
address=""
binding="wsHttpBinding"
bindingConfiguration="Binding1"
contract="TestService.IService1">
<identity>
<dns value="MyCompanyNameCert"/>
</identity>
</endpoint>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="ServiceBehavior1">
<serviceMetadata httpGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="false"/>
<serviceCredentials>
<clientCertificate>
<authentication revocationMode="NoCheck"/>
</clientCertificate>
<serviceCertificate findValue="CN=MyCompanyNameCert"/>
</serviceCredentials>
</behavior>
</serviceBehaviors>
<endpointBehaviors>
<behavior name="EndpointBehavior1">
<clientCredentials>
<serviceCertificate>
<authentication revocationMode="NoCheck"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<client>
<endpoint behaviorConfiguration="EndpointBehavior1" />
</client>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>
--
Client Steps
On client, Copy the root CA certificate (RootCAMyCompanyName.cer) and privatekeyfile (RootCAMyCompanyName.pvk) to the client machine.
On client, Import RootCAMyCompanyName.cer into Trusted Root Certificate Authorities
On client, create client cert
makecert -sk MustBeUniqueKey -iv RootCAMyCompanyName.pvk -n "CN=MyCompanyNameCert" -ic RootCAMyCompanyName.cer -sr localmachine -ss my -sky exchange -pe MyCompanyNameCert.cer
Client Web.config
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="Behavior1">
<clientCredentials>
<clientCertificate findValue="CN=MyCompanyNameCert" storeLocation="LocalMachine"/>
<serviceCertificate>
<authentication revocationMode="NoCheck"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="wsHttpEndpoint" closeTimeout="00:01:00" openTimeout="00:01:00"
receiveTimeout="00:10:00" sendTimeout="00:01:00" bypassProxyOnLocal="false"
transactionFlow="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text"
textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Message">
<transport clientCredentialType="Windows" proxyCredentialType="None"
realm="" />
<message clientCredentialType="Certificate" negotiateServiceCredential="true"
algorithmSuite="Default" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="http://wcfcerttest.com/Service1.svc"
binding="wsHttpBinding"
behaviorConfiguration="Behavior1"
bindingConfiguration="wsHttpEndpoint"
contract="ServiceReference1.IService1"
name="wsHttpEndpoint">
<identity>
<dns value="MyCompanyNameCert"/>
</identity>
</endpoint>
</client>
</system.serviceModel>
Submit an article or tip