problem with machine certificate check...

Hi out there I am going to build me a virtual server for m2m - machine to machine communication where pc's will upload data to a webservice. The inside serverpart have I now running with a kerberos sso policy where I now will replace my http-401 agent with a machine certificate agent - I expect that I can swap this module in but I cannot really find some documentations on this. Can some here either show me a sample or guide? I tried to insert it in my apm policy but I could not get the correct certificate in the machine store. Is it possibly to use the "on demand certificate check" agent instead? this works simple and problem-free but as far as I can see I can only define the current user's personal certificate there - is this correct? best regards /ti