Scenario:
The test certificates created by MakeCert, something like:
makecert.exe -sr LocalMachine -ss MY -a sha1 -n CN=localhost -sky exchange -pe
makecert.exe -sr CurrentUser -ss MY -a sha1 -n CN=client -sky exchange -pe
1. "Keyset does not exist"
It most probably that the process account doesn't have permissions to access the private key. For example, host WCF service in IIS, we need to grant the "IIS_IUSRS" access to a certificate's private key. In certificates management console, right-click the certificate, All Tasks, Mange Private Keys. There are also other optioins to manage the private key, winhttpcertcfg.exe or complicated steps here: http://msdn.microsoft.com/en-us/library/aa702621.aspx.
2. "The caller was not authenticated by the service". Inner exception: "The request for security token could not be satisfied because authentication failed."
It most likely caused by certificateValidationMode (revocationMode is also important)
Something may confused here is the root issuer of test certificates is "Root Agency", this root cannot be trusted(chain building would fail, is that true??). This is not ture, we can manually install Root Agency to the localmachine trusted authority.
Unrelated link: http://msdn.microsoft.com/en-us/library/aa702579.aspx