Hi Colin
We had a similar function with longer lifetime certificates before rolling out the SAP authenticator app. Before then we placed rewrite rules within the web dispatcher to block client certificates for a device that was lost. i.e. SSL_CLIENT_CERT_SUBJECT as per SAP Note 1612828.
This was in addition to the recommendation that Stephan has made, i.e. locking associated accounts.
Rgrds
Craig
