I contacted support about this awhile ago (about what it's actually checking for) and they weren't much help. Basically HC just looks to see that the client has a valid cert issued from a trusted CA. There's not much other checking it does, and I don't know of any additional documentation.
Kind of. By default, for certificate based logins, the only requirement is that the certificate be trusted, i.e. loaded into the SA..
Once you have certs installed, navigate to Users->User Realms->[realm name]->Authentication Policy->Certificate. Here you can specifiy name/value pairs for certificate fields, like CN, version, basically, any field that exists in the certificate.
I believe that this is what you're looking for.