There's no reason why it has to be horrific. I'd like to see someone make a decent attempt at making client TLS certs actually work well, including not using the same cert for multiple domains by default. Other problem is, I don't think many web server frameworks have support for them either.