The security of a client certificate is premised that a level of trust is established for validation that the client certificate was signed by a trusted source. That trusted source could be an internal CA provider owned by the company, external CA provider, or self signed. Either signed by an internal or external provider the main piece of trust comes from trusting the CA authority used and utilizing CRL/OSCP validation to ensure that even though the certificate has been signed it has not been revoked. With self signed certificates, this functionality is not available so it does not have the same advantage. This functionality can be added by doing what has been done by adding the certificate to a user within an LDAP, Federated, or Internal Identity provider user within the Gateway. If this user gets disabled or deleted then the capability to login will fail.