The browser won’t send the client certificate unless requested by the server, and you typically need to modify the default server configuration to request a client certificate. For instance, in Tomcat you need to add the attribute clientAuth=true to the Connector element that defines your HTTPS listener. You can also use clientAuth=want* to request a client certificate, but still allow an unauthenticated connection.

If you have your server set up to request a client certificate and it’s still not being sent, then you might need to set up the browser and/or server to trust the other’s certificate. This is especially relevant if you’re using self-signed certificates — that definitely won’t work without importing the client certificate into the browser trust store.

The Tomcat SSL How-to is a good starting point for additional information, some of which is not specific to Tomcat; if you’re using a different server you’ll obviously need to hunt down its documentation for configuration options.

If all else fails, you can pass -Djavax.net.debug=ssl on the command line to get some insight into what’s going on at the SSL layer.

* Older Tomcat versions used optional to invoke this behavior. Consult the documentation for your specific Tomcat version to determine the correct property.