I've spent the last several days getting this to work. I finally was
able to create a self-signed CA certificate for my secure webserver.
The server key is not password protected, as this is strictly for
testing. I then created a client certificate and signed the signature
request using the server CA certificate. The private key for the
client certificate is password protected. I have p12 versions of this
certificate in my browsers, and a PEM versions of the certificate and
key files for cURL 7.13.x testing. All this was done with OpenSSL
0.9.7e.

My ssl-enabled apache2 (2.0.52) webserver is running mod_ssl. I have
it configured for strong and medium ciphers only with client
authentication required.

This is where it gets interesting. The client certificates are
installed in both firefox and IE, they can both connect and
authenticate properly. I know this only because if I remove the
certificates I cannot connect to my webserver. Neither browser
requires me to enter the password for the private key (didn't upon
installation either).

cURL, however, is exhibiting the behavior I completely expected and
wanted. It absolutely positively will not allow me to connect to the
server without including the private key and password. What is cURL
doing right that the browsers are doing wrong?

I apologize if this is not the place for this. Please inform me if an
openssl forum is a better place.

-- 
Cheers... s.e.t.i.