The certificate specified in the X509Certificate EndpointIdentity can never be deserialized on the client side.

[fedotovrr]

EndpointIdentity in the server configuration:

<identity>
    <certificateReference x509FindType="FindByThumbprint" findValue="key" />
</identity>

Fragment of response with client side:

<Identity xmlns="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity">
    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <X509Data>
            <X509Certificate>content</X509Certificate>
        </X509Data>
    </KeyInfo>
</Identity>

Deserialization code:
https://github.com/dotnet/wcf/blob/main/src/System.ServiceModel.Primitives/src/System/ServiceModel/X509CertificateEndpointIdentity.cs#L62-L65

while (reader.IsStartElement(XD.XmlSignatureDictionary.X509Certificate, XD.XmlSignatureDictionary.Namespace))
{
    reader.MoveToContent();
    X509Certificate2 certificate = new X509Certificate2(Convert.FromBase64String(reader.ReadContentAsString()));

reader.MoveToContent does not go to X509Certificate content, ReadContentAsString will always return null

This leads to System.Security.Cryptography.CryptographicException: "m_safeCertContext is an invalid handle."

[mconnew]

That code should have been

X509Certificate2 certificate = new X509Certificate2(Convert.FromBase64String(reader.ReadElementString()));

This is most likely an artifact from when we first started porting WCF, a lot of the XmlReader api's were missing and we replaced them with what we thought were equivalents. Looks like we got this one wrong.