I was able to verify that script works with Firefox. Here what I did to configure it:
1. Used EasyRSA package to simulate organization's PKI. I generated CA cert with it, and issued client certificate+key pair for test user.
2. I placed CA's certificate in `/etc/certs/chain_cert.pem` (by default script will check this location for trust chain it will use to verify certificate presented by client; I suppose, that means only certificates signed by this only CA will be accepted?)
3. Disabled all validation methods except for `use_generic_validator` in script's properties
4. Converted key and cert issued at step 1) to pfx file: `# openssl pkcs12 -export -out gluuadmin.pfx -inkey gluuadmin.key -in ./gluuadmin.crt -certfile ./my.host.loc_CA.crt` (didn't set any password)
5. Imported this `gluuadmin.pfx` into my browser as a personal certificate
6. Set script as default auth method and restarted tomcat to make sure every change is applied.
Then, on attempt to access login page, I was presented with a new screen informing me that login with certificate will happen. Clicking "Login" button there first took me to a warning page, explaining that flow is failed and providing a lot of info why it could be so. In my case, I had just to remove "Active logins" using "Clear recent history" tool of Firefox. In other cases browser's restart may help.
After that on clicking this "Login" button I was presented with a pop-up asking me to confirm using my personal cert for authentication, and proposal to persist my choice. Then I was asked to provide my usual login/password for this user (enrol step). On the next login attempts it didn't ask for creds any more, I just was logged in right away.
Unfortunately, I couldn't make it work with Chrome. Browser restarts didn't help, it was telling me again and again that I either didn't have cert imported into browser, or I already chose not to provide it to this site. The latter is quite possible, and was the same for Firefox first, but for Chrome I didn't find how to reset it.