Neither Firefox nor Thunderbird are set up to use it. Grr!
LibNSS supports a shared SQLite database but nobody wants to agree on where to keep it or whether to use it at all. They all want to stick to how they used to do it. Evolution uses gnutls and its own key management; ff and tbird use private libnss keystores; ssh doesn't even use x.509 certs at all (argh!).
You can enable the shared keystore with one line of code, but nobody's shipping FF and tbird configured that way, let alone adopting it for other apps. Very frustrating. Because few devs use X.509 client certificate infrastructure, it doesn't seem to get much attention/interest.