val data = CertificateAdapters.certificate.toDer(this)
    try {
      val certificateFactory = CertificateFactory.getInstance("X.509")
      val certificates = certificateFactory.generateCertificates(Buffer().write(data).inputStream())
      return certificates.single() as X509Certificate
    } catch (e: NoSuchElementException) {
      throw IllegalArgumentException("failed to decode certificate", e)
    } catch (e: IllegalArgumentException) {

    // Add a bad intermediate CA and have that issue a rogue certificate for localhost. Prepare
    // an SSL context for an attacking webserver. It includes both these rogue certificates plus the
    // trusted good certificate above. The attack is that by including the good certificate in the
    // chain, we may trick the certificate pinner into accepting the rouge certificate.
    val compromisedIntermediateCa =
      HeldCertificate

        peerCertificates = listOf(serverCertificate.certificate, serverIntermediate.certificate),
        localCertificates = listOf(),
      )

    assertThat(handshake.tlsVersion).isEqualTo(TlsVersion.TLS_1_3)
    assertThat(handshake.cipherSuite).isEqualTo(CipherSuite.TLS_AES_128_GCM_SHA256)
    assertThat(handshake.peerCertificates).containsExactly(
      serverCertificate.certificate,
      serverIntermediate.certificate,
    )

 * certificate is signed by the certificate that follows, and the last certificate is a trusted CA
 * certificate.
 *
 * Use of the chain cleaner is necessary to omit unexpected certificates that aren't relevant to
 * the TLS handshake and to extract the trusted CA certificate for the benefit of certificate
 * pinning.
 */
abstract class CertificateChainCleaner {
  @Throws(SSLPeerUnverifiedException::class)

    throw IllegalArgumentException("failed to decode certificate", nsee)
  } catch (iae: IllegalArgumentException) {
    throw IllegalArgumentException("failed to decode certificate", iae)
  } catch (e: GeneralSecurityException) {
    throw IllegalArgumentException("failed to decode certificate", e)
  }
}

/**
 * Returns the certificate encoded in [PEM format][rfc_7468].
 *

 * ```
 *
 * In this example the HTTP client already knows and trusts the last certificate, "Entrust Root
 * Certification Authority - G2". That certificate is used to verify the signature of the
 * intermediate certificate, "Entrust Certification Authority - L1M". The intermediate certificate
 * is used to verify the signature of the "www.squareup.com" certificate.
 *

        .serialNumber(1L)
        .build()
    val rootB =
      HeldCertificate
        .Builder()
        .serialNumber(2L)
        .build()
    assertThat(get(rootB.certificate, rootA.certificate))
      .isEqualTo(get(rootA.certificate, rootB.certificate))
  }

  @Test
  fun equalsFromTrustManager() {
    val handshakeCertificates = HandshakeCertificates.Builder().build()

    }

    // Should not be pinned:
    certificatePinner.check("uk", listOf(certB1.certificate))
    certificatePinner.check("co.uk", listOf(certB1.certificate))
    certificatePinner.check("anotherexample.co.uk", listOf(certB1.certificate))
    certificatePinner.check("foo.anotherexample.co.uk", listOf(certB1.certificate))
  }

  @Test
  fun testBadPin() {

    .heldCertificate(serverCertificate, intermediateCertificate.certificate())
    .build();
```

The client only needs to know the trusted root certificate. It checks the server's certificate by
validating the signatures within the chain.

```java
HandshakeCertificates clientCertificates = new HandshakeCertificates.Builder()
    .addTrustedCertificate(rootCertificate.certificate())
    .build();

```

### 3.2 Use OpenSSL to Generate a Certificate

Use one of the following methods to generate a certificate using `openssl`:

* 3.2.1 [Generate a private key with ECDSA](#generate-private-key-with-ecdsa)
* 3.2.2 [Generate a private key with RSA](#generate-private-key-with-rsa)
* 3.2.3 [Generate a self-signed certificate](#generate-a-self-signed-certificate)

#### 3.2.1 Generate a private key with ECDSA