this.intermediates = arrayOf(*intermediates) // Defensive copy.
    }

    /**
     * Add a trusted root certificate to use when authenticating a peer. Peers must provide
     * a chain of certificates whose root is one of these.
     */
    fun addTrustedCertificate(certificate: X509Certificate) =
      apply {
        this.trustedCertificates += certificate
      }

    /**

    keyStoreType: String?,
    heldCertificate: HeldCertificate?,
    vararg intermediates: X509Certificate,
  ): X509KeyManager {
    val keyStore = newEmptyKeyStore(keyStoreType)
    if (heldCertificate != null) {
      val chain = arrayOfNulls<Certificate>(1 + intermediates.size)
      chain[0] = heldCertificate.certificate
      intermediates.copyInto(chain, 1)

  ): Boolean {
    if (toVerify.issuerDN != signingCert.subjectDN) {
      return false
    }
    if (signingCert.basicConstraints < minIntermediates) {
      return false // The signer can't have this many intermediates beneath it.
    }
    return try {
      toVerify.verify(signingCert.publicKey)
      true
    } catch (verifyFailed: GeneralSecurityException) {
      false
    }
  }

representative of real-world HTTPS deployment. To get closer to that we can use `HeldCertificate`
to generate a trusted root certificate, an intermediate certificate, and a server certificate.
We use `certificateAuthority(int)` to create certificates that can sign other certificates. The
int specifies how many intermediate certificates are allowed beneath it in the chain.

```java
HeldCertificate rootCertificate = new HeldCertificate.Builder()

        .Builder()
        .certificateAuthority(1)
        .build()
    val intermediate =
      HeldCertificate
        .Builder()
        .certificateAuthority(0)
        .signedBy(root)
        .build()
    val certificate =
      HeldCertificate
        .Builder()
        .signedBy(intermediate)
        .build()
    val handshakeCertificates =
      HandshakeCertificates

    assertThat(cleaner.clean(list(certificate, intermediateCa), "hostname"))
      .isEqualTo(
        list(certificate, intermediateCa, trusted),
      )
    assertThat(cleaner.clean(list(certificate, intermediateCa, trusted), "hostname"))
      .isEqualTo(
        list(certificate, intermediateCa, trusted),
      )
  }

  @Test
  fun chainMaxLength() {
    val heldCertificates = chainOfLength(10)

  - type: dropdown
    id: author-go-experience
    attributes:
      label: "Go Programming Experience"
      description: "Would you consider yourself a novice, intermediate, or experienced Go programmer?"
      options:
        - "Novice"
        - "Intermediate"
        - "Experienced"
      default: 1

  - type: input
    id: author-other-languages-experience
    attributes:
      label: "Other Languages Experience"

        GsaConfigException exception = new GsaConfigException("Top level GSA error", intermediateCause);

        assertNotNull(exception);
        assertEquals("Top level GSA error", exception.getMessage());

        // Check first level cause
        assertNotNull(exception.getCause());
        assertEquals("Intermediate problem", exception.getCause().getMessage());

        Exception intermediateCause = new IllegalStateException("Intermediate cause", rootCause);
        ScriptEngineException exception = new ScriptEngineException("Top level error", intermediateCause);

        assertEquals("Top level error", exception.getMessage());
        assertEquals(intermediateCause, exception.getCause());
        assertEquals("Intermediate cause", exception.getCause().getMessage());

### Choosing between application and network interceptors

Each interceptor chain has relative merits.

**Application interceptors**

 * Don't need to worry about intermediate responses like redirects and retries.
 * Are always invoked once, even if the HTTP response is served from the cache.
 * Observe the application's original intent. Unconcerned with OkHttp-injected headers like `If-None-Match`.