as of now, pg_hba.conf allows us to enable authentification by certificate through the auth-method "cert", in which case the user must provide a valid certificate with a certificate common name(CN) matching the database user's name or an entry in a pg_ident map.
Additionaly, for every other auth-method it is possible to set the auth-option "clientcert=1", so clients must present a valid certificate at login. The logic behind this only checks the validity of the certificate itself, but the certificate common name(CN) is not relevant.
I wrote a very small patch that adds another auth-option: - clientcert=verify-full (analogous to server certificates; you could also use 2 instead of verify-full for backwards compatibility, or verify-ca instead of 1) which also checks the certificate common name, so all 3 factors get checked: 1.) auth-method, e.g. scram or md5 password passes 2.) client cert is in truststore 3.) CN is correct.
(The patch simply makes use of the function that is used for auth- method "cert" to avoid code duplication).
I think this makes a lot of sense, and can definitely be a useful option.
However, the patch is completely lacking documentation, which obviously make it a no-starter.
Also if I read it right, if the CN is not correct, it will give the error message "certificate authentication failed for user ...". I realize this comes from the re-use of the code, but I don't think this makes it very useful. We need to separate these two things.