You would like to know why the client certificate is not being sent by the Edge SWG.

For transactions coming in on the reverse proxy service, the client certificate that is provided is the one specified in Configuration > SSL > SSL Client > Keyring. This does not provide the functionality to provide more than one certificate, the reverse proxy supports the use of the policy server.connection.client_keyring() to provide a client certificate from different keyrings or a keylist. Emulated client certificates is another solution for doing mutual authentication with an upstream server.

For transactions which come in on the HTTP proxy service and are then forwarded to an HTTPS server, the server.connection.client_keyring() policy will not work as it is not handled by the SSL forward or reverse proxy. For these transactions, the client certificate specified in Configuration > SSL > SSL Client > Keyring will be used.

The HTTPS forward proxy service has supported the use of server.connection.client_keyring() since it was added.

In addition to understanding these behavioral requirements, it is also important to consider that the proxy trusts the certificate chain of the client certificate and that the certificate specified is signed by a DN which is provided in the upstream server's certificate request. If no DN(s) are specified, then the server is willing to accept any client certificate chain.