I believe that zope might be an option for this application, but x.509 is a definite requirement. I don't know any requirements for the x.509 other than it will be used for authentication.
Oh yeah, our company uses Netscape web servers also. I listed apache/stronghold because I have a bad habit of relating everything to open source products.
Well, in this case, Zope CAN use x509 authentication!!! Netscape Enterprise Servers (ES) have a regular expression-like capability of matching Distinguished Names (DNs) to userids. This is useful because (a) by default Netscape ES stores user data in an internal db file keyed on userid AND (b) once bound the userid can be passed to Zope in the environment (using PCGI). The harder part would be getting access to ANYTHING other than the userid. This would require some work in C with the NSAPI. However, I've lurked on some of Netscape's snews: groups and looked a lot at Developer's Edge and there is some nice (i.e., well-commented!) sample code to look inside a cert once it's been authenticated. Good luck, --Rob