I have a web site using ssl certificate authentication. How to force the web browser from the server to ask again the certificate to be used? It would be useable for logout, but the use case here is switching user identity.

I remember something about directing the user to a page which have ssl settings incompatible with the current authentication certificate, but could not find the right settings.

My setup uses apache mod-ssl, but an IIS solution would also be welcome.

Update: I am specifically asking the server side: how to set up an URL on the same hostname that requires client certificates but rejects all certificates.

For Firefox, javascript:window.crypto.logout(); does work with minor user inconvenience (which I believe could be scripted around).

This is rather difficult in general (and certainly one of the reasons why client-certificate usage can be tedious for most users).

From the client side, there are some JavaScript techniques, but they are not supported across the board (see this question).

Using Apache Tomcat 7, you can invalidate the SSL/TLS session using a request attribute, as described in this question.

I'm not aware of any hook that would let you do this with Apache Httpd (and mod_ssl). The mechanisms usable behind Apache Httpd (e.g. mod_php, CGI, FCGI, ...) generally don't get to be able to alter any settings or environment variables set by mod_ssl, which would be necessary to invalidate the session.

On IIS, this question is still unanswered.

The general way, from the browser point of view, is to go into its setting and clear the SSL state (this varies depending on the browser, but usually requires a couple of dialog boxes at least, not just a quick button, at least not without a plugin).

From a client side web browser you can do this for MSIE (Internet explorer): your Clear SSL state by going to Tools>Internet Options>Content(tab)>Clear SSL State.

In firefox (prior to version 20) you can do: Tools | Start Private browsing.

Then visit the page in question. Or then do "Tools | stop private browsing" and then...

Then, when you reload a page you're on it will prompt you to present a new client certificate (if you have more than one from the CA that your server trusts). Othererwise if you just have one certificate it will use the one and only one PKI client cert that is in your store.

For logout read this post: https://security.stackexchange.com/questions/36853/is-it-possible-to-force-a-new-ssl-session#

On the client side, SSL sessions are normally kept in RAM. Internet Explorer, for instance, internally consists of several process that talk to each other, and you have to kill them all to make it forget a SSL session (in practice, this happens only when you have closed all the IE windows).

An alternative can be close browser with javascript.