This is a follow on to #26246.
We should add a few tests where the certs are bad to make sure that we don't accidentally allow insecure connections. While this wasn't the case when I was testing things out, better to have that coverage and not need it, then to need it and not have it.
