I just added a client cert requirement in conf/system.xml.
I added an additional connector with the following options:
clientAuth="true" port="4430"
This allows me to run internally on port 7272 with no client certificate requirement, and on 4430 externally with client certificates required.