Instead of matching the whole certificate you might want to look up the DN from the certificate in the HTTP_X_SSL_CLIENT_S_DN header and check if it was validated against the CA in the HTTP-X-CLIENT-VERIFY header.
Instead of matching the whole certificate you might want to look up the DN from the certificate in the HTTP_X_SSL_CLIENT_S_DN header and check if it was validated against the CA in the HTTP-X-CLIENT-VERIFY header.