I want to secure my WCF service using client certificates, i.e. only client certificates from a specific root CA should be allowed to call my service.

For testing purposes I've created a single client certificate without a CA first. I registered the client certificate at the server's certificate store (under current user -> trusted people).

Within VS2013 I've enabled SSL on the WCF service project in order to have an HTTPS endpoint. I've adapted the following Web.config file of the service as follows:

<serviceCredentials>
  <clientCertificate>
    <authentication certificateValidationMode="PeerTrust"/>
  </clientCertificate>
  ...
</serviceCredentials>

<wsHttpBinding>
  <binding name="wsHttpEndpointBinding">
    <security mode="Transport">
     <transport clientCredentialType="Certificate"/>
    </security>
  </binding>
</wsHttpBinding>

Furthermore I've adapted the App.config file of my client application as follows:

<clientCredentials>
  <clientCertificate findValue="Client" x509FindType="FindBySubjectName" storeLocation="CurrentUser" storeName="TrustedPeople" />
  <serviceCertificate>
    <authentication certificateValidationMode="PeerTrust"/>
  </serviceCertificate>
</clientCredentials>

<wsHttpBinding>
  <binding name="WSHttpBinding_IService1">
    <security mode="Transport">
      <transport clientCredentialType="Certificate"/>
    </security>
  </binding>
</wsHttpBinding>

However, this does not work, I get the following exception message:

An error occurred while making the HTTP request to https://localhost:44300/Service1.svc. This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server.

If I switch to message security (instead of transport security) and switch to the HTTP protocol everything seems to work just fine. So I guess I've missed some HTTPS-enabling step?! How to make transport security work?