[builder][held_certificate_builder] to create a self-signed certificate that a test server can use
for HTTPS:

```java
HeldCertificate localhostCertificate = new HeldCertificate.Builder()
    .addSubjectAlternativeName("localhost")
    .build();
```

[`HandshakeCertificates`][handshake_certificates] keeps the certificates for a TLS handshake.

        .certificateAuthority(1)
        .commonName("root")
        .addSubjectAlternativeName("root_ca.com")
        .build()
    serverIntermediateCa =
      HeldCertificate.Builder()
        .signedBy(serverRootCa)
        .certificateAuthority(0)
        .serialNumber(2L)
        .commonName("intermediate_ca")
        .addSubjectAlternativeName("intermediate_ca.com")
        .build()
    serverCert =

    // Generate a self-signed cert for the server to serve and the client to trust.
    val heldCertificate =
      HeldCertificate.Builder()
        .commonName("localhost")
        .addSubjectAlternativeName("localhost")
        .addSubjectAlternativeName("localhost.localdomain")
        .build()
    return@lazy HandshakeCertificates.Builder()
      .heldCertificate(heldCertificate)
      .addTrustedCertificate(heldCertificate.certificate)

      .isCloseTo(now.toDouble() + durationMillis, deltaMillis)
  }

  @Test
  fun subjectAlternativeNames() {
    val heldCertificate =
      HeldCertificate.Builder()
        .addSubjectAlternativeName("1.1.1.1")
        .addSubjectAlternativeName("cash.app")
        .build()
    val certificate = heldCertificate.certificate
    assertThat(certificate.subjectAlternativeNames.toList()).containsExactly(

    assertThat(response.handshake!!.peerPrincipal).isNull()
  }

  @Test fun `bad certificates host in insecureHosts fails with SSLException`() {
    val heldCertificate =
      HeldCertificate.Builder()
        .addSubjectAlternativeName("example.com")
        .build()
    val serverCertificates =
      HandshakeCertificates.Builder()
        .heldCertificate(heldCertificate)
        .build()

    // https://www.gosecure.net/blog/2020/10/27/weakness-in-java-tls-host-verification/
    val heldCertificate =
      HeldCertificate.Builder()
        .commonName("Foo Corp")
        .addSubjectAlternativeName("k.com")
        .addSubjectAlternativeName("tel.com")
        .build()
    val session = session(heldCertificate.certificatePem())
    assertThat(verifier.verify("foo.com", session)).isFalse()

   * Host header).
   */
  @Test
  fun domainFronting() {
    val heldCertificate =
      HeldCertificate.Builder()
        .commonName("server name")
        .addSubjectAlternativeName("url-host.com")
        .build()
    val handshakeCertificates =
      HandshakeCertificates.Builder()
        .heldCertificate(heldCertificate)
        .addTrustedCertificate(heldCertificate.certificate)

        .commonName("attacker")
        .addSubjectAlternativeName("attacker.com")
        .signedBy(pinnedIntermediate)
        .build()
    val phonyVictim =
      HeldCertificate.Builder()
        .serialNumber(6L)
        .signedBy(attackerSwitch)
        .addSubjectAlternativeName("victim.com")
        .commonName("victim")
        .build()
    val certificatePinner =

      HeldCertificate.Builder()
        .signedBy(rootCa)
        .serialNumber(2L)
        .commonName(server.hostName)
        .addSubjectAlternativeName(server.hostName)
        .addSubjectAlternativeName("san.com")
        .addSubjectAlternativeName("*.wildcard.com")
        .addSubjectAlternativeName("differentdns.com")
        .build()
    serverIps = Dns.SYSTEM.lookup(server.hostName)
    dns[server.hostName] = serverIps

     * extension will be omitted.
     */
    fun addSubjectAlternativeName(altName: String) =
      apply {
        altNames += altName
      }

    /**
     * Set this certificate's common name (CN). Historically this held the hostname of TLS
     * certificate, but that practice was deprecated by [RFC 2818][rfc_2818] and replaced with
     * [addSubjectAlternativeName]. If unset a random string will be used.
     *