i'm thinking the way to test it would be to run a provider and try to engage your own provider then it is easy to add logging to the provider to figure out where and how the certificates are supposed to be verified