We're looking to implement two-way authentication with client certificates for a privileged subset of our application users. The idea will be that if a certificate is detected the user will be asked for an additional password/PIN and that will be used to verify the certificate and user. Ordinary users will continue to authenticate themselves via the standard login mechanism.
Our production environment (hosted by a well-known company) comprises load-balanced application servers and I'm unclear as to how this set-up will handle the certificates and I'm not certain if there are any pitfalls I should be aware of. I would very appreciate some thoughts, comments or real-world advice on the subject.
Client certificate authentication needs special consideration if you're using an ssl-terminating load balancer, since the load balancer isn't capable of authenticating to the backend web server with the client's certificate.
Java's AJP handles this well, as the information about the client cert is passed on, but most HTTP load balancer/transport deployments don't have this capability. Depending on what the load balancer software is (and whether you control that aspect of the environment), you may be able to work out a mechanism to feed information about the client cert back to the web server.