When Portal makes web requests to other secure services (e.g. print task that calls a map service), it doesn't use the client cert loaded via /arcgis/portaladmin/security/sslCertificates.
It looks like Portal adds these certs to a keystore (C:\Program Files\ArcGIS\Portal\etc\ssl\portal.ks). This keystore seems legit after testing it programmatically outside Portal to create a SSL context and make web requests with.
Portal however isn't using them as a client with requests it makes. Is this normal?
For example, in the ArcGIS Server logs for a Print gp task that is calling a secure map service, we get an error like:
A certificate is required to complete client authentication (WinINet ERROR_INTERNET_CLIENT_AUTH_CERT_NEEDED, 12044), URL = <SECURE_MAP_SERVICE_BEHIND_WEBTIER_AUTH>
The closest post on this seems to be https://community.esri.com/message/655741-push-json-to-an-external-website-adapter-does-not-work-if-... where MBramer-esristaff mentions HTTPS connections requiring client certificates.
After some investigation I found the ARCGIS_JAVA_OPTS environment variable in C:\Program Files\ArcGIS\Portal\framework\runtime\tomcat\bin\catalina.bat.
Including the following JVM settings made Portal use the client PKI cert in the keystore:
ARCGIS_JAVA_OPTS = -Djavax.net.ssl.keyStore="C:\Program Files\ArcGIS\Portal\etc\ssl\portal.ks -Djavax.net.ssl.keyStoreType=jks -Djavax.net.ssl.keyStorePassword=* -Djavax.net.ssl.trustStore=* -Djavax.net.ssl.trustStorePassword=*