When a TLS-based transport is created/started, it should check the certificate. In particularly, verify:
- is not expired
- it can be used as both server and client (key usage)
If there is a problem, there should be an exception.
Should also check the CN (or subjectAltName) to make sure it is consistent with the transport address.