I'm trying to set it up so that I have a site with a cert, which only accepts connections from a client using an appropriate cert, and the hard mode is that the site isn't accessible on the public internet.

Doing each of these things seems to be pretty easy. Doing them all at once seems to be a nightmare