nginx - reverse proxy certificate authentication

I´m trying to use nginx as a reverse proxy to an internal webserver running Tomcat, which hosts a front-end to our ERP system.

It is already working fine: I can perfectly connect to the nginx server (which is locked up on our network, different VLAN, firewall, etc etc etc) and then reverse proxy to my ERP server.

However, I want do add an extra layer of protection, by requiring users to have a digital certificate on their computer, so they can access the first (nginx) server. The certificate is not used/necessary to the back-end server.

I´ve been through this tutorial http://nategood.com/client-side-certificate-authentication-in-ngi which allowed me to generate my self-signed certificates and everything else.

When using ssl_verify_client optional on nginx configuration, I can connect normally to my back-end server, but no certificate is asked/required.

When I switch it to ssl_verify_client on , all access are then blocked by a

400 Bad Request

No required SSL certificate was sent

No matter which browser I am using (Chrome, IE, Edge, Firefox). Of course I´ve put all certificates/chain on my client computer, but no certificate is asked on any browsers. What I am missing?

Here is my full nginx config:

server {
        listen 443;
        ssl on;
        server_name 103vportal;

        ssl_password_file /etc/nginx/certs/senha.txt;
        ssl_certificate      /etc/nginx/certs/server.crt;
        ssl_certificate_key  /etc/nginx/certs/server.key;
        ssl_client_certificate /etc/nginx/certs/ca.crt;
        ssl_verify_client on;


        location / {
                proxy_pass http://10.3.0.244:16030;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";

                proxy_read_timeout 300;
                proxy_send_timeout 300;
        }

}