* a chain of certificates. The server uses a set of trusted root certificates to authenticate the
 * client. Subject alternative names are not used for client authentication.
 */
@Suppress("DEPRECATION")
class HeldCertificate(
  @get:JvmName("keyPair") val keyPair: KeyPair,
  @get:JvmName("certificate") val certificate: X509Certificate,
) {
  @JvmName("-deprecated_certificate")
  @Deprecated(
    message = "moved to val",

  @Test
  fun pinRootNotPresentInChain() {
    // Fails on 11.0.1 https://github.com/square/okhttp/issues/4703
    val rootCa =
      HeldCertificate.Builder()
        .serialNumber(1L)
        .certificateAuthority(1)
        .commonName("root")
        .build()
    val intermediateCa =
      HeldCertificate.Builder()
        .signedBy(rootCa)
        .certificateAuthority(0)
        .serialNumber(2L)

  @Test
  fun heldCertificate() {
    val heldCertificate: HeldCertificate = HeldCertificate.Builder().build()
    val certificate: X509Certificate = heldCertificate.certificate
    val keyPair: KeyPair = heldCertificate.keyPair
    val certificatePem: String = heldCertificate.certificatePem()
    val privateKeyPkcs8Pem: String = heldCertificate.privateKeyPkcs8Pem()
    val privateKeyPkcs1Pem: String = heldCertificate.privateKeyPkcs1Pem()
  }

  }

  companion object {
    val certA1 =
      HeldCertificate.Builder()
        .serialNumber(100L)
        .build()
    val certA1Sha256Pin = pin(certA1.certificate)
    val certB1 =
      HeldCertificate.Builder()
        .serialNumber(200L)
        .build()
    val certB1Sha256Pin = pin(certB1.certificate)
    val certC1 =
      HeldCertificate.Builder()
        .serialNumber(300L)
        .build()

  @Test
  fun commonName() {
    val heldCertificate =
      HeldCertificate.Builder()
        .commonName("cash.app")
        .build()
    val certificate = heldCertificate.certificate
    assertThat(certificate.getSubjectX500Principal().name).isEqualTo("CN=cash.app")
  }

  @Test
  fun organizationalUnit() {
    val heldCertificate =
      HeldCertificate.Builder()
        .commonName("cash.app")

  private lateinit var server: MockWebServer
  private lateinit var serverRootCa: HeldCertificate
  private lateinit var serverIntermediateCa: HeldCertificate
  private lateinit var serverCert: HeldCertificate
  private lateinit var clientRootCa: HeldCertificate
  private lateinit var clientIntermediateCa: HeldCertificate
  private lateinit var clientCert: HeldCertificate

  @BeforeEach
  fun setUp(server: MockWebServer) {
    this.server = server

  }

  @Test fun generatedCertificate() {
    val heldCertificate =
      HeldCertificate.Builder()
        .commonName("Foo Corp")
        .addSubjectAlternativeName("foo.com")
        .build()
    val session = session(heldCertificate.certificatePem())
    assertThat(verifier.verify("foo.com", session)).isTrue()

    val heldCertificate: HeldCertificate = HeldCertificate.Builder().build()
    builder = builder.heldCertificate(heldCertificate, heldCertificate.certificate())
    builder = builder.addTrustedCertificate(heldCertificate.certificate())
  }

  @Test @Disabled
  fun heldCertificate() {
    val heldCertificate: HeldCertificate = HeldCertificate.Builder().build()

    assertThat(encoded).isEqualTo(privateKeyInfoByteString)
  }

  @Test
  fun `RSA issuer and signature`() {
    val root =
      HeldCertificate.Builder()
        .certificateAuthority(0)
        .rsa2048()
        .build()
    val certificate =
      HeldCertificate.Builder()
        .signedBy(root)
        .rsa2048()
        .build()

## Version 4.2.0

_2019-09-10_

 *  New: API to decode a certificate and private key to create a `HeldCertificate`. This accepts a
    string containing both a certificate and PKCS #8-encoded private key.

    ```kotlin
    val heldCertificate = HeldCertificate.decode("""
        |-----BEGIN CERTIFICATE-----
        |MIIBYTCCAQegAwIBAgIBKjAKBggqhkjOPQQDAjApMRQwEgYDVQQLEwtlbmdpbmVl