I am trying to secure a self hosted service. Calling the service returns this:
The underlying connection was closed: An unexpected error occurred on a receive.

The service endpoint looks like this

<endpoint address="https://MACHINE:8010/rest/users" binding="webHttpBinding" bindingConfiguration="certificate" contract="Online.DomainObjects.Remote.IUserManagerRemote" />

I have done this to open up access:

 netsh http add urlacl "url=https://+:8010/" user=BUILTIN\Users

I have turned WCF tracing on in the server, but get no information in the logs, so this is a client connection issue.

I have added a service behavior.

    <behavior name="certificate">
      <serviceCredentials>
        <serviceCertificate
          storeLocation="LocalMachine"
          x509FindType="FindByThumbprint"
          findValue="VALIDTHUMBPRINT" />
      </serviceCredentials>
    </behavior>

I have added a binding config.

  <webHttpBinding>
    <binding name="certificate">
      <security mode="Transport">
        <transport clientCredentialType="Certificate" />
      </security>
    </binding>
  </webHttpBinding>

The following code is used to call the service

    X509Store store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
    store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);    
    var certificate = store.Certificates.Find(X509FindType.FindByThumbprint, "VALIDTHUMBPRINT", false).OfType<X509Certificate2>().First();

    var request = (HttpWebRequest) WebRequest.Create("https://machine:8010/rest/users/display?key=OnlineStanlibId(1653510)");
    request.ClientCertificates.Add(certificate);
    request.Method = "GET";
    using (var reader = new StreamReader(request.GetResponse().GetResponseStream()))
        reader.ReadToEnd().Dump();

If I try and use fiddler (using the ssl decode) to examine the errors I get this.

A SSLv3-compatible ClientHello handshake was found. Fiddler extracted the parameters below.

    Version: 3.1 (TLS/1.0)
    Random: 53 F3 39 10 E8 4B 5C D6 17 02 8B A0 42 CD 98 B7 37 56 3F B4 35 E6 3E B5 15 89 3B 6D E9 8F BA 19
    SessionID: empty
    Extensions: 
        renegotiation_info  00
        server_name slc11555001
        elliptic_curves secp256r1 [0x17], secp384r1 [0x18]
        ec_point_formats    uncompressed [0x0]
    Ciphers: 
        [002F]  TLS_RSA_AES_128_SHA
        [0035]  TLS_RSA_AES_256_SHA
        [0005]  SSL_RSA_WITH_RC4_128_SHA
        ...(There are more of these)

Any suggestions on how to debug this further would be great...

The fiddler text view reveals this: HTTPS handshake to 'machine' failed. System.IO.IOException Unable to read data from the transport connection:

When creating a self-hosted Windows Communication Foundation (WCF) service that uses transport security, you must also configure the port with an X.509 certificate. In order to bind the certificate to the service you need to use the `netsh add sslcert' command and supply the certificate’s thumbprint, the application/service guid and the ip/port.

netsh http add sslcert ipport=0.0.0.0:8000 certhash=000...a5e6 appid={001-...-FEFF} 

The following link provides a good reference:
http://msdn.microsoft.com/en-us/library/ms733791(v=vs.110).aspx
HTTPS from a console application?