I think that there could be an large extension in the server section. Because there is no option
to check the handling of client certificates in the server.
You could provide an TestCA that could be imported in the server for testing. Options than can then be checked:
- Server validate Validity of Client Certificate / Full Chain (Client / SubCA out of date)
- Server checks correctly name restrictions of sub ca.
- Server check correctly the certificate propose.
- Server tolerance against chain disordering
- Accepted client certificate key types and hash algorithm
- Handling when client send unrequested an client certificate
- I think there could be much more checks be included in this section.