Standalone JAX-WS client with TransportWithMessageCredential without user/pass but with certificate

Question

I have to implement a java standalone client and an archaic SOAP WS implemented in asp.net 4.0.

The problem is the WS authentication. The WSDL is accessed without any credentials and is accessed using a certificate from a trusted authority, but the service requires authentication by a self-signed certificate. Here is the WSDL part:

<wsp:Policy wsu:Id="BasicHttpBinding_ITheirIntegrationService_policy">
 <wsp:ExactlyOne>
  <wsp:All>
   <wsoma:OptimizedMimeSerialization
    xmlns:wsoma="http://schemas.xmlsoap.org/ws/2004/09/policy/optimizedmimeserialization"/>
    <sp:TransportBinding
     xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
     <wsp:Policy>
      <sp:TransportToken>
       <wsp:Policy>
        <sp:HttpsToken RequireClientCertificate="false"/>
       </wsp:Policy>
      </sp:TransportToken>
      <sp:AlgorithmSuite>
       <wsp:Policy>
        <sp:Basic256/>
       </wsp:Policy>
      </sp:AlgorithmSuite>
      <sp:Layout>
       <wsp:Policy>
        <sp:Lax/>
       </wsp:Policy>
      </sp:Layout>
      <sp:IncludeTimestamp/>
     </wsp:Policy>
    </sp:TransportBinding>
    <sp:EndorsingSupportingTokens
     xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
     <wsp:Policy>
      <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
       <wsp:Policy>
        <sp:WssX509V3Token10/>
       </wsp:Policy>
      </sp:X509Token>
     </wsp:Policy>
    </sp:EndorsingSupportingTokens>
    <sp:Wss10
     xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
     <wsp:Policy>
      <sp:MustSupportRefKeyIdentifier/>
      <sp:MustSupportRefIssuerSerial/>
     </wsp:Policy>
    </sp:Wss10>
   </wsp:All>
  </wsp:ExactlyOne>
 </wsp:Policy>

This is not the usual case where a SSL socket factory has to be put as "com.sun.xml.ws.transport.https.client.SSLSocketFactory" or "com.sun.xml.internal.ws.transport.https.client.SSLSocketFactory" parameter to the the binding provider but as far as I understand the configuration of the WS:

<security mode="TransportWithMessageCredential">
  <message clientCredentialType="Certificate"/>
</security>

the certificate must be added in the envelope's header similar to the standard user/pass credentials, so it should be done by implementing a handler (or interceptor, depending on the implementation)?

If the above is correct, how this can be done? My client is generated using the wsimport tool, but I also have CXF based implementation for testing and it won't be a problem if it would be better.

My certificate is loaded, so I'm interested in what type of handler should I use and what should be put into the header?

PS: I've seen a C# client communicating with that WS but only when the following configuration is made and I don't quite understand why it's needed to enable the older protocols:

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12 | SecurityProtocolType.Ssl3;