I'm looking through a variety of SSL providers, but they all seem to provide "email certificates" which can double as client-certs that can be installed into a browser.
Does any company actually sell client-certificates and know what they're talking about?
X509v3 certificates can be restricted to specific uses. Some S/MIME certificates are restricted so that they can't be used for websites, but most are not.
Thawte no longer issues client certificates. My certificate from 2003 had a Cert Type" of "SSL CLient, S/MIME" indicating that they could be used for both email and for client certificates. My certificate from April 27, 2009 had only a single constraint, that it could not be used as a Certificate Authority.
Apple's iChat encryption certificate can only be used for SSL Client. You get this automatically if you are a me.com customer and enable secure iChat.
You may find that it is easiest to issue your own certificates. Many people do this and it works quite well. You will need to have the user load your own key as a CA.
A client certificate is typically only meaningful in the context a service who trusts it.
For example when a windows computer joins a domain, that client workstation generates a key pair (internally), and the domain controller signs it, and that signed pair (now becomes a cert, though not an X509 cert) and is used internally by windows. The cert is only meaningful to the domain controller.
Normally large organizations who run their own CA issue client certs to people who wan to use SSL auth to access secure sites.
The reason that client certificates are probably rare on the internet at large, is the revocation problem. For Thawte to issue you (personally) a client cert would mean that they would have to be responsible for managing revocation for it. In order for it to be cost effective, there would be a large number of certs out there; and they would constantly be being revoked, since individuals constantly individual security lapses.