We used SSL client certificates for the 2008 Olympics ticketing systems. What a nightmare.
It's hard to know how much to blame on Windows & how much has changed since then, but they were a never ending source of pain. We had to provision & manage 1,000+ workstations, dispersed not only through Beijing, but all of China. We couldn't find a way to install the certs as part of the imaging processing, so we attempted to automate as much as we can. Only on Windows (XP, I believe) you couldn't automate the entire installation. So we had to print up instructions & try to make it understandable to bank tellers. (Olympic point of sales where located at various Bank of China branches.)
Additionally, each certificate was store with a specific window account. So either accounts had to be shared, or we had to provision each machine for the dozens of tellers who might use it. (As well as making sure the process was easy when someone new started. And that the certs were revoked when they left. Again ugh.)
BTW, did you know that Java on Windows XP w/ the Chinese language pack has a different default classpath than Chinese Window XP? One of the other joys we discovered.
Actually, maybe the morale of the story here isn't client certs, but rather that Windows does.
It's hard to know how much to blame on Windows & how much has changed since then, but they were a never ending source of pain. We had to provision & manage 1,000+ workstations, dispersed not only through Beijing, but all of China. We couldn't find a way to install the certs as part of the imaging processing, so we attempted to automate as much as we can. Only on Windows (XP, I believe) you couldn't automate the entire installation. So we had to print up instructions & try to make it understandable to bank tellers. (Olympic point of sales where located at various Bank of China branches.)
Additionally, each certificate was store with a specific window account. So either accounts had to be shared, or we had to provision each machine for the dozens of tellers who might use it. (As well as making sure the process was easy when someone new started. And that the certs were revoked when they left. Again ugh.)
BTW, did you know that Java on Windows XP w/ the Chinese language pack has a different default classpath than Chinese Window XP? One of the other joys we discovered.
Actually, maybe the morale of the story here isn't client certs, but rather that Windows does.