3.11.5.1 End-user X509 Certificate Success Processing
If the client obtains a certificate of the end-user then the client SHOULD validate the X509 certificate [RFC4158] based on the CurrentEndpointConfiguration.CertificateValidation.
If the CurrentEndpointConfiguration.CertificateValidation value is 0 ("None") then no validation SHOULD be performed.
If the CurrentEndpointConfiguration.CertificateValidation value is 1 ("Ssl") then the whole chain validation [RFC4158] of the certificate SHOULD be performed.
If the CurrentEndpointConfiguration.CertificateValidation value is 2 ("IssuedByDrs") then the client SHOULD validate that the end-user certificate was issued by one of ServiceConfiguration.DeviceCertificateIssuers.
If the validation of the end-user certificate was successful, or if the validation of the end-user certificate failed and the CurrentEndpointConfiguration.CertificateValidation value is 1, the following processing occurs:
The client MUST construct a request as in section 3.10.5.1.
If the validation of the end-user certificate was successful, then the [Serialized Request with Certificate].SerializedClientCertificate MUST be set to the base64 string encoded ([RFC4648] section 4) X509 certificate [RFC4158]. Otherwise, the [Serialized Request with Certificate].ErrorType SHOULD be set to 1 ("Certificate") and the [Serialized Request with Certificate].ErrorCode SHOULD be set to the error value that was encountered while validating the end-user certificate.<13>
The client then performs the common processing defined in section 3.11.5.2.
If the validation of the end-user certificate failed and the CurrentEndpointConfiguration.CertificateValidation value is 2, the client SHOULD replay the request as defined in section 3.11.5 step 6.