Thank you for the update. I got everything now, if i'm not mistaken. This is a very interesting job.
A question : if the server cert is expired (trusted or not), then the client will have an untrusted error message, right ? It should be easy to update it with a relevant ssl client profile for an expired cert message to the client, but i don't know if browsers behaviour may block without warning, whereas still displaying warning with untrusted.