...
If the authentication method is TLS then a client certificate (PKCS12) MUST be provided If the client cannot read this certificate due to encryption, a passphrase MUST be provided by the userused to decrypt the container.
...
If the authentication method is TLS then a client certificate (PKCS12) MUST be provided If the client cannot read this certificate due to encryption, a passphrase MUST be provided by the userused to decrypt the container.