<snip> I think I will have to give up and duplicate client certificates on both servers. If I am right, the information obtained from the browser certificate chain will not be enough for stablishing a secure connection with the backend server, as it lacks the key necessary to encrypt / decrypt the messages :-( </snip>
I think you are right, your "middle-tier" (front-end) web service cannot sign the client's certificate when asked for it by the back-end service. If you can configure the back-end to trust the front-end, and the front-end trusts the client certificate, maybe you can send some end-user information (e.g. the DN of the end-user certificate) to the back-end along with your request, and as the back-end trusts you, this information can be regarded as trustworthy. But I think that depends on you being able to tweak the back-end service. Hope this helps Keith
