Well, I’ve made some progress at last. Now my test app lets you logon automatically if you happen to have a certificate whose name and email matches a user in the DB. Still, you have to have some certificate just to get to the site, but “a progress there is”.
Now I’ll try to figure out how to generate certificates for users (and the root cert too). The code is a mess, but it works, kinda.
UPD: wow! I just found http://segment7.net/projects/ruby/QuickCert/, it may save me 90% of the pain with the almost undocumented OpenSSL library!