TLSSecretCert = "tls.crt"
	// The ID/name for the k8sKey in kubernetes tls secret.
	TLSSecretKey = "tls.key"
	// The ID/name for the certificate OCSP staple in kubernetes tls secret
	TLSSecretOcspStaple = "tls.ocsp-staple"
	// The ID/name for the CA certificate in kubernetes tls secret
	TLSSecretCaCert = "ca.crt"
	// The ID/name for the CRL in kubernetes tls secret.
	TLSSecretCrl = "ca.crl"
)

		{
			name:            "tls",
			namespace:       "default",
			cert:            "tls-cert",
			key:             "tls-key",
			staple:          "tls-ocsp-staple",
			expectedCAError: "found secret, but didn't have expected keys cacert or ca.crt; found: tls.crt, tls.key, tls.ocsp-staple, and 0 more...",
		},
		{
			name:      "tls-mtls",
			namespace: "default",
			cert:      "tls-mtls-cert",
			key:       "tls-mtls-key",

			}
			if !bytes.Equal(cs.OCSPResponse, ocsp) {
				t.Errorf("Got OCSPs %x, expected %x", cs.OCSPResponse, ocsp)
			}
			// Only TLS 1.3 supports OCSP and SCTs on client certs.
			if v == VersionTLS13 {
				if len(ss.SignedCertificateTimestamps) != 2 {
					t.Errorf("Got %d client SCTs, expected %d", len(ss.SignedCertificateTimestamps), 2)
				}
				if !bytes.Equal(ss.OCSPResponse, ocsp) {

  //  "server auth",
  //  "client auth",
  //  "code signing",
  //  "email protection",
  //  "s/mime",
  //  "ipsec end system",
  //  "ipsec tunnel",
  //  "ipsec user",
  //  "timestamping",
  //  "ocsp signing",
  //  "microsoft sgc",
  //  "netscape sgc"
  // +listType=atomic
  repeated string usages = 5;

  // Information about the requesting user.
  // See user.Info interface for details.

	//  "server auth", "client auth",
	//  "code signing", "email protection", "s/mime",
	//  "ipsec end system", "ipsec tunnel", "ipsec user",
	//  "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"
	// +listType=atomic
	Usages []KeyUsage `json:"usages,omitempty" protobuf:"bytes,5,opt,name=usages"`

  //  "server auth",
  //  "client auth",
  //  "code signing",
  //  "email protection",
  //  "s/mime",
  //  "ipsec end system",
  //  "ipsec tunnel",
  //  "ipsec user",
  //  "timestamping",
  //  "ocsp signing",
  //  "microsoft sgc",
  //  "netscape sgc"
  // +listType=atomic
  repeated string usages = 5;

  // Information about the requesting user.
  // See user.Info interface for details.

// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

// Package pkix contains shared, low level structures used for ASN.1 parsing
// and serialization of X.509 certificates, CRL and OCSP.
package pkix

import (
	"encoding/asn1"
	"encoding/hex"
	"fmt"
	"math/big"
	"time"
)

// AlgorithmIdentifier represents the ASN.1 structure of the same name. See RFC
// 5280, section 4.1.1.2.

	UsageIPsecTunnel       KeyUsage = "ipsec tunnel"
	UsageIPsecUser         KeyUsage = "ipsec user"
	UsageTimestamping      KeyUsage = "timestamping"
	UsageOCSPSigning       KeyUsage = "ocsp signing"
	UsageMicrosoftSGC      KeyUsage = "microsoft sgc"
	UsageNetscapeSGC       KeyUsage = "netscape sgc"
)

// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

  //  "server auth", "client auth",
  //  "code signing", "email protection", "s/mime",
  //  "ipsec end system", "ipsec tunnel", "ipsec user",
  //  "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc"
  // +listType=atomic
  repeated string usages = 5;

  // username contains the name of the user that created the CertificateSigningRequest.

			echOuterExts = append(echOuterExts, extensionStatusRequest)
		} else {
			exts.AddUint16(extensionStatusRequest)
			exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
				exts.AddUint8(1)  // status_type = ocsp
				exts.AddUint16(0) // empty responder_id_list
				exts.AddUint16(0) // empty request_extensions
			})
		}
	}
	if len(m.supportedCurves) > 0 {
		// RFC 4492, sections 5.1.1 and RFC 8446, Section 4.2.7