Support for x509 authentication is incomplete without access to x509 certificate. Matching the certificate subject to a db register is only a part of certificate authentication. Other checks are based on the certificate itself, the certificate chain, checking against CRLs.
I know that it can be done without using the sec schema, but it is really a pity to throw away what the schema can do, only for this thing. It can be done easy, creating a context for the preauth proccess as it is created for the auth, or by the 'aware' interface.