I have read on the below link, that in PKI, private key is used for signing (which indicates client certificate private key)
http://msdn.microsoft.com/en-us/library/ms731846.aspx
Now if ClientCredentialType is not Certificate, Then how are the Messages signed in WCF
The default ProtectionLevel in WCF is EncryptandSign given at below msdn link
http://msdn.microsoft.com/en-us/library/aa347692.aspx
The documentation at above link says
"If you select a binding that enables security and you do not set the ProtectionLevel property anywhere on the contract, all application data will be encrypted and signed."
So my concern is If secure Binding like wsHttpBinding with Server Cert is used and ClientCredentialType is Not Certificate, Then how are the messages signed
The only Certificate available here is Server Certificate and that I dont think can be used for signing messages sent from client to server, because private key wont be there with client, Only Public key of Server Cert is available with client