It may be desirable to have client-cert authentication without requiring the client cert be available to the server. This is a weakened form of client-cert authentication that requires the client supply a client cert, but the only requirement is that its signed by a trusted CA. The client cert itself does not need to be verified. This may make sense if you are the CA signing the client cert.

Currently the JaasSecurityDomain and cert based login modules require a client cert in the associated JaasSecurityDomain keystore.