A privilege separation HTTP proxy
The privilege it's guarding is the permission to talk to the upstream server. Incoming requests are checked against an ACL before forwarded using the configured client certificate, which should be kept private. In addition, the incoming client must authenticate with a separate client certificate that the proxy accepts. This can be done with a simple valid cert check or by specifying an exact common name or key signature.
Thus you can have a certificate with more permissions and this proxy reduces it to a lower set. Obviously the incoming client can't have access to the upstream client certificate file or this is pointless.
The program will exit with status code 10 if it detects that any of the certificates expires. You can use that exit code to detect this condition.