Allow smartcard use without requiring email address on certificate
Some customers using smartcards for authentication don't have
emailAddress in certs. Since our current implementation relies on this, this renders this authentication strategy unusable.
- Allow configuration to match certificates on another unique identifier (CN or serialNumber) that isn't emailAddress.
- If emailAddress is not present on the certificate, ask for it in the application after we create the user.