* After change server cert, make sure it is used in https setting in IIS.
* Check cert permission using winhttpcertcfg.exe or UI in mmc. For example, my portal's app pool uses Network Service account. To setup SSL channel with the web service server, I need to give "Network Service" account permission to both the server authentication cert and the client authentication cert on the portal server. It is easy for me to forget granting permission after updating a cert.
* Carefully check whether all certs on the chain exist. Note: I came across the situation where the cert status shows normal but actually one middle cert does not exist. Furthermore, I got server authentication cert and client auth cert from the same site so they have the same chain. When one middle cert does not exist, the server auth cert works fine but the client auth cert does not. So anything can happen.
* Whether the correct thumbprint is used in WCF's web.config.
* If any built-in accounts (e.g. networkservice, localsystem) are used, make sure the required cert is installed in LocalMachine and the web.config is searching cert in LocalMachine.