I developed a web site in CGI/Perl on a SuSE Linux box on our internal network. It's purpose is to gather/edit information for an employee's possession company assets (laptops, cell phones, etc).
Background: I used OpenSSL/Apache to use SSL server/client certificates to automatically determine who is viewing the site. Every employee is required to run the Secude PSE tool on their workstation; we call it SSO: Single sign-on because it's used for other applications, too. When logged into the PSE tool, it automatically puts a client certificate into the browser. My server has a matching server certificate from the same CA. When the certs match, I can get the employee's ID out of the client cert key. I have a database that converts employee ID to real name, email address, etc.
The problem I'm having is that only some people experience a "Page cannot be displayed" error, which is traced back to my error_log with many entries like:
Actually, you're right on the money. I just figured out that this PSE Management tool has an option to put client certs in the Microsoft cert store. A lot of people were forced upon login to change their PSE password and for some reason this option gets disabled, thereby having no certs for SSL.