Considering a new approach 2 two way ssl or mutual
authentication

I'm looking for some architectual feedback on an approach that I am considering
for dealing with 2 way ssl and really SSL handshaking in general.

The background for this new approach that I am considering is that my dev group
has been struggling for many days now on attempting to get 2 way ssl configured
and working properly from the application server level and it has been a
nightmare. As an enterprise application development shop we have tons of
environments that range from individual developer workstations, to deploy dev,
test pre-prod and finally prod environments.
We are adept users of clustering as well as multiple domains, so needless to say
we have lots of JVMs floating around.

Our enterprise app has lots of web service integrations and many of the web
services that we need to call require 1 and 2 way SSL authentication. When
attempting to support this from the application server level, I see developers
having to frantically creating keys/certs importing server certs, client certs
and deal with trust/key stores in all of the environments that we have.

This is a noghtmare...something doesn't seem right here from an architectual
perspective...so I came up with an idea and wanted to post it here to see if
anyone else is in the same position and thinks it might be a good idea and
further would be willing to swap notes on the tools needed to pull it of. I know
that the concept of Proxy Servers is not new, what I am getting at here is to
come up with an architectual tenant that says "no more dealing with SSL
handshaking stuff within the application server".

So here is the idea:

I currently believe that SSL handshaking is NOT the responsibility of the
application server layer AT ALL. I think that its an architectual mistake that
the application server has such things a trust/key stores. What I would like to
implement (and I don't even know if I am using the right terminology here) is a
Proxy Server in which ALL of my outbound web service communications from my
application layer would go through. My thesis here is that ALL of the SSL
handshake configuration would get done at the Proxy Server and the application
level would NEVER have to deal with it. Developers would be free from dealing
with certs, keys etc. I would plan on having several Proxy Servers to serve each
of my major environments (i.e. dev, test, prod, etc.)

Does this sound like a reasonable approach? Has anyone been here before? Is
there a hardware solution here? Or is it just software? Open source?

Anyone let me know your thoughts, I'd be happy to share solution thoughts as I
go down this road.

Thanks,