how to custom Policy Assertion for Both UsernameToken and x.509 certificates

See more:

WSE

certificate

password

I have a web-service and a client(web-service) both developed in c#.
I have managed to successfully get WSE 3.0 to use mutual x.509 certificates to sign and encrypt my messages.
I have also managed to successfully get WSE 3.0 to carry out user authentication via UsernameTokens.
The problem that I have is that I would like to have a mix of mutual x.509 certificates and UsernameTokens working within the same solution.
My client is itself a web-service that runs locally at user sites and acts as a geteway to my central service.
My hope is to have one client x.509 certificate per site.
I want to use x.509 certificates to encrypt the data and sign with a signature that represents which client site the request has come from. I also want to identify and verify the individual user that made the request via UsernameTokens.
It seems that the 'setup-wizard' for WSE only allows me to choose either certificate based or username based authentication as opposed to both certificate based and username based authentication.
I would be grateful if anyone could point me in the right direction to achieve this.