When Portal makes web requests to other secure services (e.g. print task that calls a map service), it doesn't use the client cert loaded via /arcgis/portaladmin/security/sslCertificates.
It looks like Portal adds these certs to a keystore (C:\Program Files\ArcGIS\Portal\etc\ssl\portal.ks). This keystore seems legit after testing it programmatically outside Portal to create a SSL context and make web requests with.
Portal however isn't using them as a client with requests it makes. Is this normal?
For example, in the ArcGIS Server logs for a Print gp task that is calling a secure map service, we get an error like:
A certificate is required to complete client authentication (WinINet ERROR_INTERNET_CLIENT_AUTH_CERT_NEEDED, 12044), URL = <SECURE_MAP_SERVICE_BEHIND_WEBTIER_AUTH>