}
	if !bytes.Equal(caSecret.Data[CACertFile], CertPem) {
		t.Fatalf("CA cert does not match, want %v got %v", CertPem, caSecret.Data[CACertFile])
	}
	if !bytes.Equal(caSecret.Data[CAPrivateKeyFile], KeyPem) {
		t.Fatalf("CA cert does not match, want %v got %v", KeyPem, caSecret.Data[CAPrivateKeyFile])
	}
	serverSecret := BuildSecret(CACertsSecret, namespace, CertPem, KeyPem, nil, nil, nil, v1.SecretType(secretType))

		startComRoot,
	}

	var certDirs []string
	for i, certPEM := range rootPEMs {
		certDir := filepath.Join(tmpDir, fmt.Sprintf("cert-%d", i))
		if err := os.MkdirAll(certDir, 0755); err != nil {
			t.Fatalf("Failed to create certificate dir: %v", err)
		}
		certOutFile := filepath.Join(certDir, "cert.crt")
		if err := os.WriteFile(certOutFile, []byte(certPEM), 0655); err != nil {

			expectedErr:      "",
			expectedRootCert: []byte(certPem + "\n"),
		},
		"Non empty pem cert": {
			pemCert:          []byte(certPem),
			rootFile:         "",
			expectedErr:      "",
			expectedRootCert: []byte(certPem),
		},
		"Non empty pem cert and non empty root file": {
			pemCert:          []byte(certPem),
			rootFile:         "../testdata/cert.pem",
			expectedErr:      "",

	// First try to read the signed CSR through a watching mechanism
	certPEM, err := readSignedCsr(client, csr.Name, watchTimeout)
	if err != nil {
		return nil, nil, err
	}
	if len(certPEM) == 0 {
		return nil, nil, fmt.Errorf("no certificate returned for the CSR: %q", csr.Name)
	}
	certsParsed, _, err := util.ParsePemEncodedCertificateChain(certPEM)
	if err != nil {
		return nil, nil, fmt.Errorf("decoding certificate failed")

-----END EC PRIVATE KEY-----`)
	cert, err := tls.X509KeyPair(certPem, keyPem)
	if err != nil {
		log.Fatal(err)
	}
	cfg := &tls.Config{Certificates: []tls.Certificate{cert}}
	listener, err := tls.Listen("tcp", ":2000", cfg)
	if err != nil {
		log.Fatal(err)
	}
	_ = listener
}

func ExampleX509KeyPair_httpServer() {
	certPem := []byte(`-----BEGIN CERTIFICATE-----

			log.Fatalf("--mode=%v is incompatible with --signer-cert or --signer-priv.", citadelMode)
		}
	default:
		log.Fatalf("Unsupported mode %v", *mode)
	}
}

func saveCreds(certPem []byte, privPem []byte) {
	err := os.WriteFile(*outCert, certPem, 0o644)
	if err != nil {
		log.Fatalf("Could not write output certificate: %s.", err)
	}

	err = os.WriteFile(*outPriv, privPem, 0o600)
	if err != nil {

kind: ConfigMap
metadata:
  name: external-forward-proxy-config
data:
  envoy.yaml: |-
{{ .envoyYaml | indent 4 }}
  external-forward-proxy-key.pem: |-
{{ .keyPem | indent 4 }}
  external-forward-proxy-cert.pem: |-

// CAServer is a mock CA server.
type CAServer struct {
	pb.UnimplementedIstioCertificateServiceServer
	URL            string
	GRPCServer     *grpc.Server
	Authenticators []security.Authenticator

	certPem       []byte
	keyPem        []byte
	KeyCertBundle *util.KeyCertBundle
	certLifetime  time.Duration

	rejectCSR       bool
	emptyCert       bool
	faultInjectLock *sync.Mutex
}

// limitations under the License.

package keycertbundle

import (
	"os"
	"sync"
)

// KeyCertBundle stores the cert, private key and root cert for istiod.
type KeyCertBundle struct {
	CertPem  []byte
	KeyPem   []byte
	CABundle []byte
}

type Watcher struct {
	mutex     sync.RWMutex
	bundle    KeyCertBundle
	watcherID int32
	watchers  map[int32]chan struct{}
}

		return fmt.Errorf("the cert does not match the key: %v", err)
	}

	return nil
}

func extractCertExpiryTimestamp(certType string, certPem []byte) (float64, error) {
	cert, err := ParsePemEncodedCertificate(certPem)
	if err != nil {
		return -1, fmt.Errorf("failed to parse the %s: %v", certType, err)
	}

	end := cert.NotAfter
	expiryTimestamp := float64(end.Unix())