HTTPS allows clients to make sure that the traffic they are sending and receiving to/from the web server is encrypted, so noone can peek on it while it traverses the network. It also allows, by verifying who signs the SSL certificate, if the client is talking to the web server that it wants to talk to, and not to a fake/forged/impostor server. This is good for client security.
However, you may want to make sure that the web server is serving the right client, and not an impostor. You may control this with user and password authentication, but what if a former employee still know the credentials and accesses your system from another location? You may want to make sure that your system is only accessed from particular clients. There are several strategies to achieve this, simplest of which is IP filtering, but that just doesn't cut it, specially if you have dynamic IP addresses or there is heavy NATting around. So, how do you authenticate the client machine? Maybe even, the web browser from which your application is being used?
The answer is SSL client authentication. Your web browser has an installed certificate. When it wants to access your web server, it must cipher contents with that certificate. The web server verifies it, and if it does not like it, it refuses to serve content.
Once I set it up, I'll write down my version of how to do it.
