This Section 12 lays out requirements as to structure and content to which all valid authorised Certificates shall comply, in so far as those requirements affect the processing carried out by Devices. All terms in this section shall, where not defined in the GBCS, have the meanings in IETF RFC 575923 and IETF RFC 5280.
contain a subjectKeyIdentifier which shall be marked as non-critical;
contain a certificatePolicies extension containing at least one PolicyIdentifier which shall be marked as critical. For clarity and in adherence with IETF RFC 5280, Certification Path Validation undertaken by Devices shall interpret this extension;
contain an authorityKeyIdentifier in the form  KeyIdentifier which shall be marked as non-critical, except where the Security Credential Document is self-signed. Note this exception only applies where RemotePartyRole as specified in the X520OrganizationalUnitName field = root;
only contain KeyIdentifiers generated as per method (2) of Section 18.104.22.168 of IETF RFC 5280. Thus KeyIdentifiers shall always be 8 octets in length;
contain an IssuerName which is identical to the Security Credential Document’s signer's SubjectName; and
have a valid notBefore field consisting of the time of issue encoded and a valid notAfter as per IETF RFC 5280 Section 22.214.171.124.