If you're
using an intermediate certificate (your server certificate
isn't signed by one of a browser's default trusted root
certificate authorities but is signed by an issuer who is in
turn signed by a trusted CA), web browsers can improperly
cache expired copies of the intermediate certificates. This
can occur if in the past the user has clicked 'Trust site
permanently' on a site that uses the same intermediate
certificate authority.
Solution: Remove the expired cached copy of the
intermediate certificate from the browser's SSL
configuration.
Client Authentication is enabled but browser doesn't
prompt for certificate
During the SSL handshake, the web
server informs the browser of what Certificate Authorities it
trusts to assist the browser in selecting the correct client
certificate. If the browser detects that none of the user's
client certificates would be validated given the list of
certificate authorities sent by the server, the browser will
NOT prompt the user for a certificate.
If a subset of the user's client certificates can be
validated by the servers list of certificate authorities, the
browser will display that partial list of certificates to the
user.
Solution: The issuer of the client certificates must be
added as a trusted Certificate Authority in the servers
KeyFile.