You can authenticate a browser/user using SSL/TLS client-certificate authentication.

The client certificate must be requested by the server, so you’d need access to the server configuration (not just installing some PHP code on a shared server). This is done at the SSL/TLS layer (in fact, the mechanism is not specific to HTTPS): the server requests the client-certificate during the SSL/TLS handshake (sometimes via a renegotiated handshake). In Apache Httpd, this is typically done via SSLVerifyClient (although you’ll need to specify other options too).

The server will then verify the certificate against the CAs you’ve configured it with (possibly your own, and possibly independent of the CAs used for the server certificate itself). (Alternatively, you could disable certificate verification at the server level in some cases, and have the PHP application do it, but this is a bit more advanced and you’d need to know what you’re doing.)

You can access the client certificate from your application and obtains its Subject DN (or alternative names), to identify the client.

It’s not clear whether you’re after identifying a browser or a user. In the end, everything goes through the browser anyway, but client certificates tend to be allocated to users. Users would have to install that certificate into their browser.

EDIT: For further details, it would help if you could clarify your question and what you intend to do with this.

Is it possible to authenticate a web browser using an ssl certificate.

Say i store a private key in my application, is there any way to read
a key from a browser and try to authenticate based on that?

Firstly, strictly speaking, there’s no such thing as an “SSL certificate”, since multiple types of certificates can be used for SSL/TLS, and some of these same certificates can also be used for other purposes than SSL/TLS. Typically, “SSL certificate” means “X.509 certificate in the context of SSL/TLS”.

Therefore, authenticating a web browser using an SSL certificate implies doing it at the SSL/TLS layer. (There have been attempts to implement message-level security using X.509 certificates at the HTTP layer, but they’re not widely supported by browsers.)

Secondly, the private key is held by the remote party that you authenticate. The local party that authenticates the remote party doesn’t see any private key. If you (as a server) want to authenticate a web browser, it’s the browser that needs to have the private key, not your (presumably PHP) application. In this context, it’s not quite clear why your (PHP?) application would have/need a private key if it’s the browser that you want to authenticate.

What your verifying application may need (if it’s not done by the server itself) is a CA certificate to be able to verify the client certificate it is presented with (or at least some form of trust anchors with which to verify the client certificate). There’s no private key required here, just public keys and certificates, unless you want your application to be a CA too.

Indeed, you could have your application be a mini CA. It could make the browser generate a key-pair and send a certificate request to the server (there are mechanisms to have a web page make the browser do all that). Then the server would generate the certificate and make the browser import it back against its private key. Subsequently, the browser could use this certificate for authentication with that server (or other servers that would recognise these certificates).