To have a valid certificate for client - soap_server connection in X.509 you need to have a certificate in your store that has a private key, that is a merged .pem (with certificate) and .key (with private key).
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
The solution is to convert these two files to e.g. p12 format which contains both certificate and private key.
Do this by merging the files (just placing one part over the other or appending the .pem file to the .key file.
Then fire up the console command:
openssl pkcs12 -export -in keyAndPem.merge -out out_file.p12
Import the .p12 file to windows and you're good to go.
To check that your imported certificate has private key along with it look for this info in the properties of the certificate:
Using the certificate without private key will cause these errors in SOAP communication:
The private key is not present in the X.509 certificate;
error in System.IdentityModel.Tokens.X509AsymmetricSecurityKey.GetSignatureFormatter(String algorithm)