How does Spring Security use certificate information?