3.2.5.2.1.3 Processing Details

The server MUST validate that the [Proxy Trust].SerializedReplacementCertificate has an extended key usage (EKU) for client authentication (1.3.6.1.5.5.7.3.2) ([RFC3280] section 4.2.1.13) and is within the validity period ([RFC1422] section 3.3). If validation fails, the server MUST return a HTTP error code of 400.

The server MUST add [Proxy Trust].SerializedReplacementCertificate to [Server State].ProxyTrustedCertificates for future validations.