My scenario is kinda easy to explain: we need to call 3rd party services (e-Gov) which are accessible only through mutual authentication, but we don't have the certificate. The platform user is the one who owns it. He have it installed in his browser, one way or another.
It would be easy (although insecure) if the user could upload its certificate to our server, but this is not an option. As each user must use his own certificate, things get even harder.
So, an idea came to my mind and, before digging any further (build testing servers/certificates/etc), I'd like to know if it's possible, at least in theory.
Would it be feasible to send the SOAP request payload to the user's browser, build and execute the requests "client-side", making use of browser's installed certificates, and forward the service reply back to my server? Or I'd be blocked by cross-site request forgery or something alike?