Can't persuade Rampart to send certificate serial + issuer - only either BinaryToken or Identity

I tried playing with WS-Policy to set InitiatorToken Never, and got Rampart to send the cert identity for WS-Security signing.
But setting ws10 and ws11 to require serial/issuer TokenReference support, and setting the InitiatorToken to use it, didn't work - still, the identity was sent.
It's a problem for me because on the recipient side I have to be specific about what form the cert will come in, and I have 2 WS clients. I don't want to deploy the service twice just for that.
Maybe it's just the version of Rampart and it's been fixed since Synapse snapshot 17th Oct - I'll see with the next binary.