I've setup such a client which by now runs 30 hours, now and then i grab it and send a signed mail. No issues so far.
While this won't help you too much, just thinking, do you by chance have some sort of (group-)policy which might distribute or in any form tamper with certificates? Do you have a chance to check with a vanilla client (no domain, no WS management, no virus scan)?