east sends a fake cert; west has a root CA and rejects it

east uses *cert=west to authenticate west; it then responds with a fake
cert

west rejects the cert payload as it has an invalid signature
