Note that while in theory all these answers are correct, setting up your own
CA and issuing your own client certs does have its quirks. Firstly, you need
to make sure that the "Certificate revocation List" (CRL) is installed on
the web server that you are using your clients certs against. Failure to do
this will mean that the server cannot access the CRL via the internet (I am
assuming its not internet visible) and so not be able to access the CRL to
see if the client cert has been revoked. in this scenario, it assumes all
certs are invalid and rejects everything. We spent some time just figuring
this little trick out. Also, make sure you set up a certificate trust list
so that the server "trusts" your self signed CA certs and therefore also
accepts client certs from your CA.
Finally, if running Win2k, make sure any hotfixes have *all* dependent fixes
installed, or that the Win2k box is up to Sp3 or above. In one instance, our
server team had installed a series of patches, except one, and this omission
also caused the server to reject all client certs. Yet more weeks of tim
debugging this.
I guess what I am trying to say is that in each case, the same error (client
certificate revoked) was shown even though the problem resolution was
different. It can be a lot trickier than you realise, but certainly possible
to get going.