While it is possible to authenticate clients using a certificate, this requires a trust store realm which means adding all possible client certificates to the trust store. Simple validation (not authentication) of certificates based on their trust chain is currently not supported.

We should enhance the SSL server identity to support a truststore without requiring a trust realm.

<security-realm name="default">
         <server-identities>
            <ssl>
               <keystore path="server.pfx" keystore-password="secret" alias="server"/>
               <truststore path="ca.pfx"  password="secret"/>
            </ssl>
         </server-identities>
      </security-realm>

If a truststore is present, client cert will be required on incoming connections.