machine cert auth agent doesn't check on private keys?

hi out there I have still problems with the machine cert auth agent in my apm policy - it seems as if it cannot verify if the the certificate contains the private key or not - I tried to export a certificate with non-exportable private keys and import it again so that no private key exist on the client - the agent still return "1" and lets me pass the authentication successfull even though I would expect that it should return "2" and hereby indicate correct certificate but without private keys what can I do?

best regards /ti