Yeah, it's not bad when the backend will accept headers (e.g. remote_user), it's when it wants the actual certificate to check against a CA when it becomes an issue.