Access logs currently do not show a client's certificate DN in forced client SSL certificate mode (RequiredCA). It is up for grabs to 'guesstimate' who the actual requester of a HTTP request was. Could this functionality be added to included in one of the logging formats (We currently use the hiawatha log format) ?
Additionally, or alternatively, a configuration directive could be added to populate the 'REMOTE_USER' HTTP header with the client's certificate common name.
Ideally both the first and second request would become possible within Hiawatha of course