SSL Mutual Authentication - Client and Server Side. Python & # 8594; Django / Twisted / Tornado

I am creating a python application where the client side will request xml pages from the server (python also works).

I would like to do something on the line of the puppet configuration management system. Puppet works as follows:

1) If the client is working for the first time, it generates a certificate signing request and a private key. The first is the x509 certificate, which is itself signed.
2) The client connects to the master (the client is not authenticated at the moment) and sends a CSR, it will also receive a CA certificate and CRL in response.
3) The wizard stores the CSR locally
4) The administrator verifies the CSR and may eventually sign it (this process can be automated with auto-recording). I highly recommend checking the certificate fingerprint at this point.
5) The client waits for his signed certificate, which the master eventually sends.
6) All subsequent messages will use this client certificate. Both master and client will authenticate each other by virtue of sharing the same CA.
(from http://www.masterzen.fr/2010/11/14/puppet-ssl-explained/ )

The main things I don't know how to do:
- What are the best libraries to use?
- What to use on the server side? Will Django behind apache / nginx sign the certificate on first launch and authorize using certificates later on, or do I need to use something like twisted on the front side?
- The best way to send CSR is POST to server?
- Does anyone know if there are some code examples that will cover both client and server sides?
- Is there any other way to establish a reliable connection between client / server without human iteration (which is best for authentication between web services)?