SSL Self-Signed CA Certificates and PHP Issue/Authentication

I've been writing an authentication routine in PHP to allow company users to access a new tool over Internet. I've got most everything figured out, but when it comes to how to safely 'remember' an authenticated user between sessions, I'm curious about something.

Based on the dearth of information surrounding it, I get the feeling not a lot of people use client-side SSL certificates to verify if a user is coming from a trusted computer. In my mind, so long as you can get the user to trust your CA (not an issue inside a company), why isn't there a nice, simple way to request, sign, issue, and install a new client cert that helps prevent MITM much better than say a cookie would?

I'm not exp开发者_JAVA百科ecting the client cert to be the end all be all, but is there some resource I am missing that would help further me along down this path? Or is the rabbit hole far too deep and the only thing my exhaustive searches lack is the word "nightmare" to expose how crappy this really is?

Thanks!

A lot of people use client-side certificates. Pretty much the entire US Federal Government does.

The problem is that it takes a lot of know-how to do it correctly. But, done correctly, it works great, and can provide far stronger security than password based authentication.