This scenario presents a stricter regime, where the queen only accepts connections from clients that provide a CA-signed certificate, for which a copy already exists on the queen at the time of connection. In other words, clients cannot connect using a self-signed certificate, nor can they connect using a copy of the queen's public key. The identical signed certificate must exist on the queen as well. Setting the server flag disallowPeerWithoutCertificates = true is what forces the client to provide a certificate in order to connect.